PSN Attack Timeline
In his response to the US House Of Representatives committee on energy and commerce, Kaz Hirai explains in some detail the circumstances surrounding the PSN attack: how and when the intrusion was identified, the steps Sony has taken in assessing the damage caused and the notification of law enforcement, regulators and PSN users. Below is a chronological summary of Sony’s response to the intrusion, which has resulted in the personal information of over 100 million gamers being taken by an as yet unidentified third party, with PSN now into its third week of downtime.
Tuesday, April 19
At 4.15pm Sony Network Entertainment America (SNEA) detects unauthorised activity in the network, with "certain systems rebooting when they were not scheduled to do so." The team takes four affected servers – out of a total of 130 across PSN – offline, and begins an internal assessment which continues into the evening.
Wednesday, April 20
SNEA mobilises a larger internal team and discovers "the first credible indications" of an intrusion, identifying six more servers as being possibly compromised, and taking them offline as well. In the early afternoon SNEA discovers that data has been taken from the system, but cannot ascertain precisely what it is, and shuts PSN down entirely. SNEA then engages the services of a "recognised security and forensic consulting firm" to mirror the affected servers – a process which takes "many hours".
Thursday, April 21
Sony retains the services of a second security firm to "provide more manpower to image the servers," warning on the PlayStation Blog that the outage may last "a full day or two."
Friday, April 22
SCEA’s general counsel notifies the FBI of the intrusion, despite still being yet to identify "the scope or effect" of the intrusion. A meeting is set, during which Sony will provide the FBI with details, for Wednesday, April 27. By the afternoon, two days after the process began, the mirroring of the ten affected servers is finally completed.
Saturday, April 23
In the evening, forensic teams confirm that the intruders used "very sophisticated and aggressive" methods to "obtain unauthorised access, hide their presence from system administrators, and escalate privileges inside the servers," including deleting log files.
Sunday, April 24
SNEA engages a third forensic team to provide more manpower, specifically "to use their special skills to determine the scope of the data theft."
Monday, April 25
Forensic teams confirm the scope of personal data taken, with PSN's entire userbase affected "although not every piece of information on those accounts appears to have been stolen." It cannot ascertain, however, whether credit card data has also been obtained.
Tuesday, April 26
SNEA and SCEA "coordinate to provide public notice of the intrusion", with a PlayStation Blog post confirming that users’ personal details had been taken and that, while no evidence of credit card theft had been found, the firm cannot rule out the possibility. It says it will email a copy of the statement to all PSN users, and notifies regulatory authorities in New Jersey, Maryland and New Hampshire.
Wednesday, April 27
SNEA notifies regulatory authorities in Hawaii, Louisiana, Maine, Massachussets, New York, North Carolina, South Carolina, Virginia and Puerto Rico.
Sunday, May 1
Sony notices "likely theft" from Sony Online Entertainment (SOE) servers, that had not initially been spotted "even after highly trained technical teams had examined the network infrastructure." A file is found on SOE’s servers, named Anonymous, containing the message "We Are Legion."
During a Tokyo press conference Hirai, flanked by chief information officer Shinji Hasejima and senior VP of corporate communications Shiro Kambe, apologises to consumers, says PSN will begin its gradual return this week, and outlines the Welcome Back programme with which Sony intends to compensate its users.
Monday, May 2
Sony Online Entertainment issues a press release confirming that it, too, had been targeted in the attack, and had taken its servers offline. The personal details of 25 million users were taken – taking the total affected past 100 million – with 12,700 credit card records and 10,700 direct debit records also stolen from an oudated database from 2007.