2011 PlayStation Network Outage
The PlayStation Network is an entertainment service provided by Sony Interactive Entertainment for various platforms such as PlayStation consoles, iOS, Android, Blu-ray players and high-definition televisions. Through the Network, users are able to access a variety of services for enhanced online gaming experience and other social features. As of today, the PlayStation Network has over 110 million documented users and over 70 million active ones. The main intent of the network as a whole is to provide its users with an enrich experience that allows them to safely access digital media and socially connect with other users without any constraints.
However, in April 2011, servers for certain functions of PlayStation Network had started to be inconsistent and completely down for many users. On April 20, 2011, Sony announced that an external intrusion of sorts was impacting the services of the PlayStation Network. This immediately led to Sony putting all PlayStation Network services to a halt worldwide. This intrusion was assumed to be done by Anonymous, the umbrella-term for a hacktivist group that is infamously known for various DDoS cyber attacks against several large corporations and had recently attacked Sony’s servers in the previous weeks before the outage. Through this hacking, approximately 77 million accounts were affected and prevented user of the PlayStation Portable and PlayStation 3 from accessing the service. This also exposed the data of the 77 million users entirely, enabling hackers to get access to unencrypted personal information of the users such as full names, addresses, email addressed, birthdates, passwords, security questions and more. Additionally, access to over encrypted 12,000 credit card numbers from cardholders outside of the U.S. was granted.
Initially, Sony attempted to quell the commotion caused by the outage by communicating that the downtime of the Network will only lead to more security stability and a stronger infrastructure for the network, even stating that the Network should be back online in “a full day or two”. But the outage only continued further than Sony had anticipated, on May 1st, Sony announced plans for a compensational “Welcome Back” package for every user who was affected by the outage, this package would allow users to download several free titles for PlayStation 3 and PlayStation Portable, a free month subscription to premium service, PlayStation Plus and promised that PlayStation Network functions such as online gameplay, chat functionality and account management would be restored within the first week of May. However, Sony failed to meet that reported timeframe and it was no until May 14th that these services began to gradually go back online. Services were restored on a country-by-country basis and required a firmware update for PlayStation 3 which required users to change their account passwords. This outage lasted a total of 23 days, the longest time the PlayStation Network has ever been offline.
As a result of this outage, Sony faced a large degree of criticism from various parties over its failure to have stable network security for a service with an install base with millions. There were many concerns over the matter of the encryption of the personal details that were breached in the outage, where Sony had said everything but the credit card information of the user was stored unencrypted. This seemingly meant that any employee working within Sony’s websites had access to passwords of millions of users and to potentially use them as they please, which angered many. This controversy led to Sony having to clarify on the issue in a blogpost, stating:
“While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form”
Additionally, Sony did not officially mention that personal information of users had been breached until April 26th, where they stated that they “cannot rule out the possibility” that such information had been obtainable and casually mentioned the possibility of credit card information being stolen as well. This was all nearly a week after the beginning of the outage which infuriated users. Many even thought this late notification to be a violation of PCI Compliance for mishandling the storage of credit card information. This massive system failure led to a formal investigation of Sony by the British Information Commissioners Office for fringing upon the Data Protection Act of 1998 which stated that individuals had legal rights to control personal information of themselves. This led to the office releasing a statement that harshly criticized Sony, stating:
“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority.
There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
This violation netted Sony a fine of £250,000 for not complying with the law. Because of the outage, Sony was under fire by many other factions and corporations for mere incompetency with their measures of security, it took a major toll on the public outlook and point of view towards the entire corporation.
With Sony being very reserved on the matter, it is still currently unknown the exact maneuver in which the PlayStation Network was hacked and the technical aspects that led to the security breach. Nonetheless, it goes without saying that this outage could have been avoided if more proper measures were enforced knowing the expertise that a large corporation like Sony has. Specifically, if principles of the Software Engineering Code of Ethics and Practice (SECPP) such as product and management were followed, this outage may have never had a real chance of occurring. The SECPP’s principle of product details that:
“Software engineers shall ensure that their products and related modifications meet the highest professional standards possible.”
“Maintain the integrity of data, being sensitive to outdated or flawed occurrences” (3.14).
This principle is something that clearly was not followed by Sony at the time of the breach, the entire purpose of a network is to allow consumers to safely use services without worrying about their shared data being accessed. By no means was Sony meeting the highest professional standards possible when other digital media services have not had any issues anywhere near the extent of this breach. The SECPP’s principle of management states that software engineer managers must:
“Ensure good management for any project on which they work, including effective procedures for promotion of quality and reduction of risk.” (5.01)
“Ensure that software engineers know the employer’s policies and procedures for protecting passwords, files and information that is confidential to the employer or confidential to others.” (5.03)
Poor management is likely the scapegoat behind the reason of hackings. Sony is a corporation with a net worth in the billions, so there is no reason why its servers should be so poorly managed that a third-party hacktivist group should have the ability to impact a network used by over 70 million people. It is clear that Sony completely undermined the importance of stability and security, leading to ineffective procedures that would have reduced risk and protected sensitive information. If adherence to these principles were pursued, there is no doubt that the network would not have been mismanaged and led to the catastrophic outage that followed.
Conclusively, the 2011 PlayStation Network outage was the result of a major software failure that impacted millions of people. Affecting 77 million accounts worldwide and lasting 23 days, it is considered one of the most massive data security breaches of all time. Sony lost an approximate $171 million dollars following the outage, covering the expenses for security improvements and compensation packages. The outage was a disastrous incident for every party involved that showcased the utter importance of data security in a modern society.