The keys are the essential element of a full

The 2011 PlayStation Network
outage was the result of what the Sony company says was an “external
intrusion” on Sony’s PlayStation Network services. Personal
details from approximately 77 million accounts were compromised and prevented
users of PlayStation 3 and PlayStation Portable consoles from
accessing the service online. The attack occurred between April 17 and April
19, 2011, forcing Sony to turn off the PlayStation Network on April 20. Two
main types of attacks occurred: Classic data breach and Distributed denial-of-service
attack (DDoS) continually stressing PlayStation network servers with tasks. At
the time of the outage, it was one of the largest data security breaches in
history, surpassing the 2007 TJX hack which affected more than 45
million customers. Sony could have prevented this from happening with a few
minor adjustments in their security system, but bad judgements from employees
and low standard company morals and principles allowed this cyber attack to

We must
understand the scenario of the data breach and events leading up to the attack
to understand sole responsibility of the hack. For security reasons, and
because Sony is historically very sensitive on releasing information on topics
that make the company look bad, we will probably never have access to the full
detailed report on the attack. The outage lasted for a total of 23 days. On May
4 Sony decided to finally confirm that personally identifiable
information from each of the 77 million accounts had been exposed. The
first suspect Sony thought to be the main hacking agent in this case was
PlayStation 3 jail breaker named George Hotz, aka “geohot” for his hacking
name. Hotz had a history with PSN Network and is accused of breaching the
Digital Millennium Copyright Act and other laws after he published an
encryption key and software tools on his website that allow PlayStation owners
to run pirated games and develop and run personal softwares on the system. This
act by Hotz was made possible from an academic presentation displayed at the
27th Chaos Communications Congress technical conference by a hacking group
named “fail0verflow”. The group explained the methods they’d generated for
having successfully penetrated the device’s security model, yielding the root
signing and encryption keys (Cite, Cite). These keys are the essential element
of a full breach, capable of installing and running any new software on any
PlayStation 3 unit (Cite, Cite). These Chaos technical conferences are supposed
to be chance for companies to take a look back at their security procedures and
find ways to improve they systems somehow. The CISO department and CEO of Sony,
Howard Stringer, deemed the situation to be slightly threatening and made a few
security patches to update the PlayStation 3 system. Sony failed to take into
account of the information that the PlayStation 3 alone can possibly become
breached, and what that information being out there means for skilled and experienced
hackers such as Hotz. Sony should have taken that situation serious from that possibility
alone, but once Hotz posted the rootkit on his

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now




website, it was too late for the company.
Sony decided to start taking actions against George Hotz and filed on January
11, 2011 for an application for a temporary restraining order (TRO) against him
in the US District Court of Northern California (Cite, Cite). Sony also demanded
social media sites, including YouTube, to hand over IP addresses of people who
visited Geohot’s social pages and videos. Sony wanted to produce a list of
usernames of people who watched any of Hotz’s videos or ready any of his blogs.
This lawsuit between Sony and Hotz was handled out of court, on the condition
that Hotz would never hack any Sony products again (Cite). Today, the main
assumed suspects are the hacking group that goes by the name Anonymous, due to
recent attacks during that time period. This large-scale cyber attacked was
propelled by the weakness learned by Hotz in exposing the PSN’s security
mechanisms on his website. The hacking group possibly found a vulnerability large
enough to simply step right in with an SQL injection attack. SQL
injection is a hacking method, used to attack data-driven applications, in which
malicious SQL codes are inserted into an entry field for execution on the
system. SQL codes must exploit a security vulnerability as did the situation
with Sony. Another possible reason of vulnerability a new firmware update
released a few months before the hack called “Rebug”. This update effectively turns
a PS3 into a developer unit and activates many types of features that consumers
can not normally access. The Rebug firmware gives your console trusted access
to Sony’s internal developer network. With this firmware installed, it’s
possible that customer details database became easily accessible. It’s also
possible that Sony’s security mechanisms simply did not account for an internal
attack from a trusted network.

With more
investigation taken place, more responsibility from Sony was demanded from the
situation. The view of Sony as a worldwide leader in technological advancements
decreased after this data breach as many people understandably lost trust. They
received harsh criticism from PS3 users on how the situation was managed. At
first, the problem was said to be fixed in 48 hours. Nearly a week after the
outage, Sony decided to confirm to the public that personally identifiable
information such as PlayStation Network account username, password, home
address, email address, and possibly credit card info had been compromised. It
was disputed that if Sony deemed the situation so severe that they had to turn
off the network, Sony should have warned users of possible data theft sooner
than on April 26. It was nearly enough time for users to close accounts or to
make sure data was not altered. Sony declined to appear before the May 4, 2011,
hearing convened by the House Committee on Energy and Commerce, the company
sent an eight-page letter detailing what it was doing to the Subcommittee on
Commerce, Manufacturing, and Trade (Cite). In this letter, Sony outlined that
the company was a victim of a greatly sophisticated and greatly planned cyber
attack. They


wanted to have enough evidence provided
before releasing statement that personal information was stolen at the time of
attack. This majorly affected the company economically as well. Going into the
year of 2011, Sony had recently lost $3.18 billon dollars. Sony said this loss
was the result of “a non-cash charge to establish a valuation allowance
… against certain deferred tax assets in Japan.” (Cite). This was due to the
impact of the earthquake Japan and the economy experienced earlier in the year.
Sony lost approximately $171 million dollars following the PSN outage. More
than 250 million through the end of 2012, continuing to clean up defenses
(Cite). The money for Sony expenses include: money for security improvements, “Welcome
Back” packages for online users, and an estimate of the impact on
future profits of the security breach and resultant outage (Cite). If
someone reports credit card fraud from the hack, they need to have money ready
to be distributed to that person. In a total of two years Sony lost around 421
million dollars, more if you include the year of 2010.