Sony said it believed the intruders collected the log-in credentials from another source, not from Sony’s networks, and were able to gain access to the Sony accounts because customers used the same credentials with their Sony accounts.
Phil Reitinger, Sony’s new chief information security officer, made the announcement on the company’s blog.
He wrote that intruders tested a “massive set of sign-in IDs and passwords” at web sites for several of its properties – Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE). Most of the log-in credentials failed to gain the intruders access, but about 60,000 credentials matched those use by SEN and PSN users; another 33,000 matched credentials for SOE accounts.
“[G]iven that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks,” Reitinger wrote.
He noted that a “small fraction” of the accounts showed activity after they were breached, but that the intruders couldn’t access credit card account information. Sony had since locked all of the accounts accessed through the attack until customers can be notified to change their passwords.
“We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet,” he wrote.
Reitinger’s quick announcement was a departure from the company’s previous handling of a breach it suffered earlier this year, when the company waited a week to tell customers that its PlayStation Network had been hacked, and then was slow to release details. News reports indicate that the newest breach occurred primarily over the weekend between Oct. 7 and 10, just two working days before the company’s announcement.
In the previous case, Sony first discovered evidence of the breach on its PlayStation Network last April 20, but waited until the 26th to notify PSN customers. The company said it notified customers the day after forensic investigators told it that the intruders had hacked its network and obtained the personal information of more than 75 million customers. This was followed by another breach at Sony Online Entertainment, which compromised an additional 25 million customers, and still more breaches at Sony Pictures and Sony BMG.
The initial intrusion forced Sony to take its Play Station Network offline for 40 days.
The tech giant was subsequently hit with a class-action lawsuit by customers complaining in part that the company failed to adequately secure their data, failed to notify customers of the breach in a timely manner and deprived customers of the use of the network for an extended period of time.
Sony has estimated that the breaches last spring would cost it more than $170 million this year, including expenses for shoring up its network against future attacks.
The company hired Reitinger last month as part of its efforts to improve the security of its networks in the wake of those earlier breaches.
Reitinger has heavyweight credentials in the security community. He was previously Deputy Under Secretary of the National Protection and Programs Directorate and Director of the National Cyber Security Center at the Department of Homeland Security. Before that, he was chief trustworthy infrastructure strategist for Microsoft.