It is widely seen as the biggest data compromise of the digital age.
Since mid-April, Sony has been coming to terms with one irreversible fact: a lone hacker has tunnelled through the PlayStation Network’s security defences to access the sensitive details of over 77 million Sony customers.
How could this happen? Sony has been criticised for holding back information. Some say to save face, others suggest commercial pressures were in play, while many accuse Sony of company-wide incompetence.
On Sunday, Sony appeared to be making amends. At an emergency press conference, it offered to the world embarrassing details of its own failures.
The meeting, which lasted nearly two hours, saw Sony’s top executives detail how the network was compromised. This is their account.
Sony chief information officer, Shinji Hasejima, presented an illustration of how the PlayStation Network operated.
There are three layers, he said. At the front, a web server. Behind this, a web applications server. Behind it all, a database server that contains the personal information.
“There are firewalls installed in between each server,” Hesejima said.
“Only the minimum necessary authorised information only is communicated between each one,” he said.
With a three-layer defence, Sony had been confident that the bulk of defences were enough to prevent an intrusion – or at least enough to alert the company of any hack.
But on Sunday, Sony revealed that the hack itself, and any data retrieval, went undetected.
“We have not had previous attack like this,” Hasejima said.
“The breach was detected as a ‘normal transaction’, so it was not detected by any firewall. A certain command was sent… it was a very skilful approach… and the manipulation [of our network] was able to be done externally. So we were not able to detect it from the outside”.
He described it as “a highly sophisticated attack by a highly skilled intruder”.
Of Sony’s three servers, it is believed the weak link was the web applications server.
“We suppose the attacker might have succeeded invading the system by utilising vulnerabilities on the web application server,” Hasejima said.
“The attacker made it inside this server with inappropriate methods, and then got access [authority] to the database server”.
This is, according to Sony, why it cannot rule out data theft.
Rik Ferguson, both a PlayStation user and computer security expert at Trend Micro, said the web applications server was tied to rich content that PSN offers.
“The web applications server will be used to deliver a range of content to users,” he told Develop.
“This would include updates [DLC], digital and rich media content.”
Due to the hack, the details of 77 million customers were exposed. User names, security questions, passwords and other personal data could have been taken. Passwords were hashed and credit card data was encrypted, Sony said.
In what was an extraordinary admission, Hasejima said the shortcomings of its web applications server was known of.
“The vulnerability this time was a known vulnerability, one known of in the world. But Sony was not aware of it… was not convinced of it,” he said.
“We are now trying to improve aspects of it”.
Shiro Kambe, the senior vice president at Sony, made the apology unambiguous.
“We thought we had taken enough management and control measures [to ensure the network was secure], but looking back, there might have been room for further enhancement.
“We have to admit we were not fully sufficient.”