The 2011 PlayStation Network outage also referred to as the PSN Hack, was a result of an “external intrusion” on Sony’s PlayStation Network and services, in which the personal details of approximately 77 million accounts were compromised or leaked and prevented the users of PlayStation 3 and PlayStation Portable consoles from accessing the services. The attack had occurred between April 17 and April 19, in the year 2011, forcing Sony to turn off the PlayStation Network completely on April 20th. On May 4, Sony had also confirmed that personal information from each of the 77 million accounts had been exposed or compromised. The outage lasted for a span of 23 days.
During the time of the outage, 77 million registered PlayStation Network accounts, it is referred to as not only one of the largest data security breaches that has happened but also the longest Play Station Network outage in the history. It had surpassed the 2007 TJX hack which affected around 45 million customers. Government officials from all over the world raised concerns over the theft and mainly disappointed on Sony’s one-week delay before warning its users whose data has been compromised.
Sony stated on April 26th that it was attempting to get its online services running within a week. On May 14, Sony released PlayStation 3 firmware version 3.61 as the security patch. The firmware required the users to modify their account’s password once they try to sign in. During the time when firmware was released, the network had still been offline. A map of regional restoration and network within the United States has been shared as the service was coming back to online.
Around March 2010, Sony released a firmware update for the PlayStation 3, which patched functionality to use 3rd Party Operating Systems, such as Linux, on the System. This had caused outrage in the community, as the 3rd Party Operating Systems has been used frequently in the modification.
On January 2, in 2011, George Hotz successfully jailbroke the PlayStation 3 firmware. A day later, he had started distributing the jailbreak through his personal website.
On January 11, 2011, Sony had filed a lawsuit against Hotz, as he was distributing the jailbreak software for their PlayStation 3 on his website.
On April 2, 2011, a group of hackers claiming to be Anonymous, had declared “Operation Sony” publicly. Later the same week, On April 11th, Sony had suddenly dropped the lawsuit with Hotz.
On April 13th, the Group had released a video in text to speech, calling for “A Day of Sony Protest”
Timeline of the outage:
On April 20, 2011, Sony acknowledged on their official PlayStation Blog that it was aware certain functions of the PlayStation Network” were down. Upon attempting to sign in via the PlayStation 3, users received a message indicating that the network was “undergoing maintenance”. The following day, Sony asked its customers for patience while the cause of outage was investigated and stated that it may take a full day or two to get the service fully functional again.
The company later announced an “external intrusion” had affected the PlayStation Network and Qriocity services. This intrusion occurred between April 17 and April 19. On April 20, Sony suspended all PlayStation Network and Qriocity services worldwide. Sony expressed their regrets for the downtime and called the task of repairing the system time-consuming but would lead to a stronger network infrastructure and additional security. On April 25, Sony spokesman Patrick Seybold reiterated on the PlayStation Blog that fixing and enhancing the network was a time intensive process with no estimated time of completion. However, the next day Sony stated that there was a clear path to have PlayStation Network and Qriocity systems back online, with some services expected to be restored within a week. Furthermore, Sony acknowledged the compromise of personal information as a result of an illegal intrusion on our systems.
On May 1 Sony announced a “Welcome Back” program for customers affected by the outage. The company also confirmed that some PSN and Qriocity services would be available during the first week of May. The list of services expected to become available included:
- Restoration of Online gameplay across the PlayStation 3 (PS3) and PSP (PlayStation Portable) systems
- This includes titles requiring online verification and downloaded games
- Access to Music Unlimited powered by Qriocity for PS3/PSP for existing subscribers
- Access to account management and password reset
- Access to download un-expired Movie Rentals on PS3, PSP and Media Go
- PlayStation Home
- Friends List
- Chat Functionality
On May 2 Sony issued a press release, according to which the Sony Online Entertainment services had been taken offline for maintenance due to potentially related activities during the initial criminal hack. Over 12,000 credit card numbers, albeit in encrypted form, from non-U.S. cardholders and additional information from 24.7 million SOE accounts may have been accessed.
During the week, Sony sent a letter to the US House of Representatives, answering questions and concerns about the event. In the letter Sony announced that they would be providing Identity Theft insurance policies in the amount of US$1 million per user of the PlayStation Network and Qriocity services, despite no reports of credit card fraud being indicated. This was later confirmed on the PlayStation Blog, where it was announced that the service, All Clear ID Plus powered by Debix, would be available to users in the United States free for 12 months, and would include Internet surveillance, complete identity repair in the event of theft and a $1 million identity theft insurance policy for each user.
On May 6, Sony stated they had begun final stages of internal testing for the PlayStation Network, which had been rebuilt. However, the following day Sony reported that they would not be able to bring services back online within the one-week timeframe given on May 1, because “the extent of the attack on Sony Online Entertainment servers” had not been known at the time. SOE confirmed on their Twitter account that their games would not be available until sometime after the weekend.
Reuters began reporting the event as “the biggest Internet security break-in ever”. A Sony spokesperson said:
- Sony had now removed the personal details of all the 2,500 people which were stolen by the hackers and posted on their website.
- The data also included names and some addresses, which were in a database created in the year 2001.
- No date has been fixed for the restart.