Sony reported to be considering bounty for PSN attack
A reward for information is one of the options the company is considering, WSJ's All Things Digital says
Computerworld - Sony is reported to be considering offering a reward for information leading to the arrest and prosecution of those behind the recent breach of its PlayStation Network (PSN).
The Wall Street Journal's All Things Digital reported today that a bounty is one of several options Sony is considering to try and get information on the hackers responsible for the intrusion.
No final decision has been made yet, and the company could still drop the plan entirely, the report, which quoted unnamed sources, said.
Discussions on the pros and cons of offering a bounty are ongoing and will require approval from Sony's executive team in Japan, the report said.
If the plan does move ahead, Sony will work with the FBI and other international law enforcement authorities to offer the reward, it noted.
The reward apparently is just one of the options Sony is considering as it works with law enforcement to track down the perpetrators.
Sony did not respond to a request for comment on the bounty that it is allegedly considering.
Sony's PlayStation Network has been offline since April 20th following a malicious intrusion. The breach compromised the names, addresses, birth dates, purchase histories, online IDs and in some cases credit card data, of 77 million subscribers to PSN and its Qriocity service, the company said.
Sony disclosed the breach more than six days after it had abruptly shut down PSN. The breach has become a high-profile example of the
In a letter to Senator Richard Blumenthal (D-CT) last week, Kazuo Hirai, president and group CEO of Sony Computer Entertainment, offered one of the most detailed timelines of the breach yet.
The letter was sent in response to a demand from Blumenthal seeking more information from Sony on what exactly had happened, and why the company had delayed notifying consumers about the breach.
Hirai said Sony first encountered problems with PSN on April 19, when several of the 130 servers running the network, began unexpectedly rebooting themselves. The unusual activity prompted network engineers from Sony Network Entertainment America to immediately take four servers offline and begin an inspection of the systems.
On April 20, the team recruited more people into its internal investigation team and quickly discovered that an intruder had broken into the network. That same day, investigators discovered that six other servers had also possibly been compromised.
The company hired an external security team to mirror the servers and conduct a forensic analysis of the systems. As the size and scope of the attack began emerging, Sony hired a second forensics team and then a third company to help assist the company with its investigations.
Hirai said investigations showed that the intruders had used "very sophisticated and aggressive techniques" to access the systems and then hide their tracks. "Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network."
It took investigators until April 25 to figure out what personal data exactly might have been taken, but even at that point the company did not know for sure if credit card data had been compromised, Hirai said.
Despite this fact, Sony decided to inform consumers about the potential compromise of their credit card data on April 26, because it wanted to make sure it was complying with all relevant state breach notification requirements, he said.
On May 1, more than 10 days after it first discovered the intrusion into PSN, investigators discovered that data had also been stolen from the Sony Online Entertainment. That discovery prompted a shut down of the service on May 2.
In all, a total of 12.3 million active and expired credit cards, including about 5.6 million in the U.S., were potentially exposed, Hirai said.
The breach at Sony Online Entertainment resulted in the potential theft of account information belonging to 24.6 million account holders. That breach potentially exposed data on 12.700 credit cards and another 10,700 debit cards, all belonging to non-U.S. customers.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
- How to protect yourself against privileged user abuse
Read more about Data Security in Computerworld's Data Security Topic Center.
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Adobe Creative Cloud for teams Security Overview This white paper describes the proactive approach and procedures implemented by Adobe to increase the security of your Creative Cloud experience and your...
- 3 Big Data Security Analytics Techniques You Can Apply Now to Catch Advanced Persistent Threats This technical white paper demonstrates how to use Big Data security analytics techniques to detect advanced persistent threat (APT) cyber attacks, and it...
- IT Security by the Numbers: Calculating the Total Cost of Protection Humorist Franklin P. Jones may have said it best: "When you get something for nothing, you just haven't been billed for it yet."...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!