TOPICS > Science

Sony PlayStation System Hacking Incident Highlights Web-Security Gaps

April 27, 2011 at 5:44 PM EDT
Sony officials announced Tuesday that hackers might have obtained personal information, including credit card numbers, from 77 million users of its PlayStation gaming system. Ray Suarez discusses the breach's impact on Sony, its users and the future of online security with former hacker and editor Kevin Poulsen.


JEFFREY BROWN: Next, it happened again, a major data breach involving personal information.

Ray Suarez has the story.

RAY SUAREZ: The latest episode involved millions of people around the world who use Sony’s PlayStation video game system and who may have had their credit card information stolen in a hacking incident.

The intrusion caused the company to shut down PlayStation’s Internet network a week ago. It provides access to online gaming, music, movies, sports and TV shows. Seventy-seven million user accounts were disconnected worldwide. But it wasn’t until yesterday that Sony disclosed a hacker obtained information, including players’ names, addresses, birth dates, email addresses, passwords and log-in names.

And on the company’s blog, Sony spokesman Patrick Seybold said, “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.”

Near Sony headquarters in Tokyo, some said the breach may stop them from using PlayStation.

KAZUNORI SANO, resident of Tokyo (through translator): I will be afraid of playing with the game machine after hearing of this. I don’t want my credit card information to be leaked out somewhere else in the world.

RAY SUAREZ: And in Australia, police urged PlayStation users to be vigilant.

DETECTIVE SUPERINTENDENT COL DYSON, New South Wales State Police Force: It would appear that the risk in relation to credit cards may be low. But if people have concerns, they should be talking to their banks and watching for unauthorized usage of the cards.

RAY SUAREZ: Some industry experts say the scale of the breach could cost the company billions of dollars.

THOMAS PUHA, “Pelaaja”: This is going to have a very negative impact on a business that they have built up, because I think a lot of — obviously, a lot of consumers will really be very wary of putting their credit card information back online or even buying anything.

RAY SUAREZ: Sony said it expects the PlayStation Network to be restored in a week. In the meantime, an outside security firm has been hired to investigate what Sony deems the malicious intrusion.

For a closer look at all this, we turn to Kevin Poulsen, senior editor at A former hacker himself, he’s also author of a new book, “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground.”

And, Kevin, for those people who aren’t gamers, why would you have to load personal information into a game console in the first place?

KEVIN POULSEN, Well, a lot of gaming takes place now online. You have multiplayer games where you could play with or against opponents live in real time.

And, of course, a game console isn’t just a game console anymore. You want to be able to download movies and other content. And all — you pay for all of that, which means you have to give up this information.

RAY SUAREZ: Sony says it has no direct evidence that credit card numbers were taken, but it says — quote — “We cannot rule out the possibility.”

When you have had a breach, when someone has been rifling around in your files electronically, can you tell what they have seen and what they haven’t?

KEVIN POULSEN: There are usually — there’s usually some kind of trail left, yes. But if the hacker is good and took steps to cover his or her tracks, then it could — it could take a while to extract that.

I imagine that’s why Sony took so long to announce this. They were probably hoping to find better news. They were probably hoping to find evidence that the — that information wasn’t accessed. Now that they have brought in an outside company, I expect they will know a lot more than they do now, eventually. Of course, they — they may know more than they’re telling us now.

RAY SUAREZ: The PlayStation system has been down for over week, disappointing a lot of people who are frequent users.

Does that long-term shutdown tell you something about the seriousness of the breach, that they’re not patching it, but rebuilding the whole network?

KEVIN POULSEN: Absolutely.

It’s a really radical measure to take. And it’s surely going to cost them a lot of money and a lot of fan loyalty. There are people that aren’t even going care about the breach itself who are just going to be extremely angry that they were denied access to the PlayStation Network for so long. So, it’s bad news all around.

If this had just been a casual intruder, a recreational intruder, some kid working from his bedroom, I doubt they would have taken this measure. So, they probably have some indication that this was a serious, focused attack.

RAY SUAREZ: Well, as we reported earlier, they got user names, passwords, various other kinds of personal information. What’s the risk to account holders at this point?

KEVIN POULSEN: You know, the biggest risk is probably with the personal information, especially the passwords, because a lot of people use the same passwords everywhere.

So, that, coupled with your email address and your real name and your date of birth, the hackers will, if this was done for profit, then, all of that could wind up being sold on the black market, probably for a nice sum of money.

And then, whoever buys it, other computer intruders could use the information to try and hack into other accounts held by these PlayStation Network users. It could be anything from Facebook to online banking. You could use it to stage scams targeting the users in other ways.

So, it could be — it could wind up that this becomes the first stage in a lingering problem that haunts users for a long time, if, in fact, that that was the nature of the breach.

RAY SUAREZ: So, given what you just said, what should an individual account holder do to protect him or herself?

KEVIN POULSEN: The first thing you should do, if you used — if you’re a PlayStation Network user and you use your password anywhere else, you should change those passwords.

You should also be alert to unauthorized charges on your credit cards. Start checking your on — your statements frequently online in near to real time for a while, in case there are fraudulent charges. And you should especially be alert to scams that are targeting you using information that may have been lost in the breach.

So, if you get an email that purports to be from Sony in particular, and that has your user name and your date of birth and all of this other stuff, it may not be from Sony, and you probably shouldn’t click on any links.

RAY SUAREZ: Internet-enabled computers and game consoles used to be kind of two different animals. But now that you can access the Web using a game console, should you be cautious when you do something like buy a game or update your information? Should you switch back to your computer to do those kinds of transactions?

KEVIN POULSEN: Your computer is definitely not safer than your game console. Game consoles generally can’t be hacked from the outside. So, at least you have that measure of security.

So, there’s really a — the fact is, these kind of breaches are happening everywhere, and they don’t just affect online systems. They have — we have seen credit card numbers stolen from brick-and-mortar outlets as well. So, the scale of this breach makes it extraordinary. It’s quite unusual.

But it doesn’t mean that you’re not safe doing things on the Internet. You’re really, at this point, no less safe doing things online than you are conducting transactions in real life, because everything, it turns out, is connected in some way to the Net.

RAY SUAREZ: And, very briefly, Kevin, we mentioned earlier that you used to be a hacker. Has the state of the art advanced a great deal? Is it like the arms race, where people are figuring out how to breach the walls at the same time as people are trying to thicken the walls on the other side of the encounter?

KEVIN POULSEN: Yes, the state of the art has improved dramatically since my day back in, like, 1991 on both sides.

The hackers — the hackers have the upper hand right now. The good guys are playing defense. And there are reasons for that. Part of it is that the defenders are trying to defend against attacks that haven’t been invented yet, so they’re kind of playing catchup.

And we have seen a lot of sophistication, a lot of people doing this full-time, and making a lot of money at it.

RAY SUAREZ: Kevin Poulsen, thanks for joining us.

KEVIN POULSEN: Thanks for having me.