Sony reported to be considering bounty for PSN attack
A reward for information is one of the options the company is considering, WSJ's All Things Digital says
Computerworld - Sony is reported to be considering offering a reward for information leading to the arrest and prosecution of those behind the recent breach of its PlayStation Network (PSN).
The Wall Street Journal's All Things Digital reported today that a bounty is one of several options Sony is considering to try and get information on the hackers responsible for the intrusion.
No final decision has been made yet, and the company could still drop the plan entirely, the report, which quoted unnamed sources, said.
Discussions on the pros and cons of offering a bounty are ongoing and will require approval from Sony's executive team in Japan, the report said.
If the plan does move ahead, Sony will work with the FBI and other international law enforcement authorities to offer the reward, it noted.
The reward apparently is just one of the options Sony is considering as it works with law enforcement to track down the perpetrators.
Sony did not respond to a request for comment on the bounty that it is allegedly considering.
Sony's PlayStation Network has been offline since April 20th following a malicious intrusion. The breach compromised the names, addresses, birth dates, purchase histories, online IDs and in some cases credit card data, of 77 million subscribers to PSN and its Qriocity service, the company said.
Sony disclosed the breach more than six days after it had abruptly shut down PSN. The breach has become a high-profile example of the
In a letter to Senator Richard Blumenthal (D-CT) last week, Kazuo Hirai, president and group CEO of Sony Computer Entertainment, offered one of the most detailed timelines of the breach yet.
The letter was sent in response to a demand from Blumenthal seeking more information from Sony on what exactly had happened, and why the company had delayed notifying consumers about the breach.
Hirai said Sony first encountered problems with PSN on April 19, when several of the 130 servers running the network, began unexpectedly rebooting themselves. The unusual activity prompted network engineers from Sony Network Entertainment America to immediately take four servers offline and begin an inspection of the systems.
On April 20, the team recruited more people into its internal investigation team and quickly discovered that an intruder had broken into the network. That same day, investigators discovered that six other servers had also possibly been compromised.
The company hired an external security team to mirror the servers and conduct a forensic analysis of the systems. As the size and scope of the attack began emerging, Sony hired a second forensics team and then a third company to help assist the company with its investigations.
Hirai said investigations showed that the intruders had used "very sophisticated and aggressive techniques" to access the systems and then hide their tracks. "Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network."
It took investigators until April 25 to figure out what personal data exactly might have been taken, but even at that point the company did not know for sure if credit card data had been compromised, Hirai said.
Despite this fact, Sony decided to inform consumers about the potential compromise of their credit card data on April 26, because it wanted to make sure it was complying with all relevant state breach notification requirements, he said.
On May 1, more than 10 days after it first discovered the intrusion into PSN, investigators discovered that data had also been stolen from the Sony Online Entertainment. That discovery prompted a shut down of the service on May 2.
In all, a total of 12.3 million active and expired credit cards, including about 5.6 million in the U.S., were potentially exposed, Hirai said.
The breach at Sony Online Entertainment resulted in the potential theft of account information belonging to 24.6 million account holders. That breach potentially exposed data on 12.700 credit cards and another 10,700 debit cards, all belonging to non-U.S. customers.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- US agencies to release cyberthreat info faster to healthcare industry
- UPS now the third company in a week to disclose data breach
- Healthcare organizations still too lax on security
- Why would Chinese hackers want US hospital patient data?
- About 4.5M face risk of ID theft after hospital network hacked
- Supervalu breach shows why move to smartcards is long overdue
- Grocery stores in multiple states hit by data breach
- Update: Payment cards with chips aren't perfect, so encrypt everything, experts say
- U.S. agencies halt background checks by contractor after cyberattack
- Five unanswered questions about massive Russian hacker database
Read more about Data Security in Computerworld's Data Security Topic Center.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Getting Real About Management and "Big Data" It's an exciting yet daunting time to be a security professional. Security threats are becoming more aggressive and voracious. Governments and industry bodies...
- The Big Data Security Analytics Era Is Here Security management must be based upon continuous monitoring and data analysis for situational awareness and data-driven security decisions. Organizations have entered the era...
- Transforming Information Security: Future-Proofing Processes This report provides a valuable set of recommendations from 19 of the world'd leading security officers to help organizations build security strategies for...
- Business-driven Data Protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the Arcserve team will...
- Establish Cyber Resiliency: Developing a Continuous Response Architecture Many enterprises fail to proactively prepare the battlefield for a data breach by only leveraging outdated techniques that focus on the perimeter or... All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!