January 23, 2010
It is announced George “GeoHot” Hotz, the hacker who developed the first iPhone jailbreak application in 2007, successfully cracked the Sony Playstation 3. By jailbreaking the PS3, it was claimed users could play pirated games, build their own software, and enable users to play old Playstation 2 games. “It’s supposed to be unhackable – but nothing is unhackable. I can now do whatever I want with the system. It’s like I’ve got an awesome new power – I’m just not sure how to wield it,” Hotz tells BBC in an interview. Sony tells the BBC it has begun “investigating the report and will clarify the situation once we have more information.”
January 13, 2011
Sony announces legal action against fail0verflow, a hacker group with GeoHotz at the helm and with more than 100 members, amid claims they uncovered PS3 security codes enabling users to run any software on a PS3. Fail0verflow claims innocence, stating they do not condone video game piracy and the hack only lets users install different operating systems and simple software.
U.S. Magistrate Joseph Spero grants Sony access to IP information of anyone who visited the website of GeoHot since January 2009 describing how to crack the PS3. Sony provides subpoenas of Google, Twitter, and YouTube, in search of everyone who watched a video or read information on how to jailbreak the PS3. The digital freedom community goes into an uproar, claiming the order violates privacy rights.
April 3, 2011
Anonymous Operations launches OpsSony, with cyberattacks against Sony in response to its actions against users jailbreaking their PS3s. The PlayStation Network is taken down in a DDoS cyberattack. An off-shoot of Anonymous, SonyRecon, sets out to gain personal information on Sony senior managers. Their first target is Sony executive Robert Wiesenthal, and they leak information on his marital status, children, address, and education background. Sony states the stream of attacks are in response to their legal action against GeoHot. Anonymous releases a statement saying “… Sony attacks people’s rights over their property because it doesn’t want them to jailbreak, so in response it will attack their domains because it doesn’t like their actions …”
April 11, 2011
Sony announces it reached a court settlement with GeoHot in a San Francisco court. In the agreement reached on March 31, Hotz agreed to a permanent injunction. Riley Russell, General Counsel for SCEA states on the Playstation Blog, “Our motivation for bringing this litigation was to protect our intellectual property and our consumers. We believe this settlement and the permanent injunction achieve this goal.” GeoHot states, “It was never my intention to cause any users trouble or to make piracy easier … I’m happy to have the litigation behind me.”
April 21, 2011
The Sony Playstation Network (PSN) goes offline. Sony remains silent on details.
April 25, 2011
Details on the PSN outage remain vague, Sony director of corporate communications Patrick Seybold states on the PlayStation Blog “I know you are waiting for additional information on when PlayStation Network and Qriocity services will be online. Unfortunately, I don’t have an update or timeframe to share at this point in time. As we previously noted, this is a time intensive process and we’re working to get them back online quickly. We’ll keep you updated with information as it becomes available. We once again thank you for your patience.”
April 26, 2011
Sony announces the PSN and Qriocity outages are due to a “compromise of personal information as a result of an illegal intrusion on our systems,” in a post on the PlayStation Blog. They announce that between April 17 and April 19, user account information for both services was compromised. Sony states leaked data includes credit card data and personal information of users. Sony tells users “We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.” Sony states it hired a security firm to help investigate the breach. The breach exposed the personal information of close to 77 million Sony customers.
April 27, 2011
Sony claims the entire credit card table was encrypted and we have no evidence that credit card data was taken,” but added the personal data table was not encrypted.
April 29, 2011
Users post comments in hacker forums claiming ownership of user data from Sony networks. They claim they hope to sell 2.2 million credit card numbers obtained from the networks for more than $100,000.
May 1, 2011
Sony announces PSN and Qriocity services will begin going back online, starting with sweeping, regional restoration of online gaming. They state they will take “a series of immediate steps to enhance security across the network and a new customer appreciation program to thank its customers for their patience and loyalty.” Sony announces new security measures on their networks.
May 2, 2011
Sony announces they were hacked again, with an estimated 24.6 million Sony Online Entertainment user accounts compromised. Information on the database includes an estimated 12,700 non-U.S. credit or debit card numbers and expiration dates, and an estimated 10,700 debit records of customers in Austria, Germany, Netherlands and Spain.
May 3, 2011
Sony writes a letter to a House panel, Kazuo Hirai, chairman of Sony Computer Entertainment America claims Anonymous Operations was behind the network breach. He cites a file found on the networks entitled “Anonymous” containing one of the group’s slogans, “We are Legin.”
May 4, 2011
Anonymous denies blame for PSN and Qriocity breaches in a statement, saying “Whoever broke into Sony’s servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history. No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.”
May 5, 2011
An observer on a hacker Internet Relay Chat (IRC) channel tells CNET a third, major cyberattack against Sony is planned for the coming weekend. No known attack happens.
May 6, 2011
Oddly, Sony posts a guide on how to hack their Xperia Android phones. The post on the Sony Ericsson blog contains a detailed guide on how to build a Linux kernel and flash it to the phone, and includes download links for the necessary tools. It is suspected the post was meant as an olive branch to hackers—an attempt to mend tensions over Sony’s legal actions against jailbreakers.
May 9, 2011
Rep. Mary Bono Mack, chair of the Commerce, Manufacturing, and Trade Subcommittee, states that Sony’s manner of and delay of notifying users about the breach of their personal data was unacceptable. The statements were made during a House Energy & Commerce Subcommittee on Commerce, Manufacturing, and Trade hearing.
May 14, 2011
Sony announces beginning of phased game service restoration, along with enhancements to data security including higher levels of encryption. “Our main priority is the safety and security of our customers’ personal information,” said Kazuo Hirai, Executive Deputy President, Sony Corporation in a press release.
May 18, 2011
The discovery of a security flaw prompts Sony to suspend the PSN and Qriocity password reset pages. Seybold states on the PlayStation blog, “Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.”
May 20, 2011
Sony is hacked again. Digital security company F-Secure reveals the discovery of a live phishing site on one of Sony’s servers.
May 22, 2011
The Greek website of Sony Music Entertainment, SonyMusic.gr, is hacked, exposing data of 8,500 users. Samples of names, e-mails, and passwords of users taken from a database are posted on pastebin.com. Digital security company Sophos makes an accurate prediction that, “As long as it is popular within the hacker community to expose Sony’s flaws, we are likely to continue seeing successful attacks against them.”
May 23, 2011
Sony estimates financial losses from cyberattacks at around $171 million. This is in addition to a $3.18 billion loss for fiscal year 2011.
May 24, 2011
Sony Ericsson’s Canada eShop is breached by hackers, exposing an estimated 2,000 user records including their names, emails, and passwords. Sony Ericsson pulls the website offline. The Hacker News sends a tip to Sophos stating vulnerabilites were found earlier on Sony Music Japan that could let hackers access content with SQL injection.
May 25, 2011
An identify theft protection service is offered to users by Sony.
May 27, 2011
The Hacker News cites a forum post with a new vulnerability found on the Sony Playstation Store website. The XSS vulnerability could be used for phishing or other forms of cyberattacks. They claim “almost 70% Sony’s websites are Vulnerable with various Flaws … Sony Should Fix it as soon as possible, Before any next hack attack.”
May 30, 2011
Sony announces it will fully restore PSN services in the Americas, Europe/PAL territories and Asia, excluding Japan, Hong Kong, and South Korea by the end of this week. “We have been conducting additional testing and further security verification of our commerce functions in order to bring the PlayStation Network completely back online so that our fans can again enjoy the first class entertainment experience they have come to love,” said Kazuo Hirai, Executive Deputy President, Sony Corporation, in a press release.
June 2, 2011
Sony is hacked again, after announcing the start of full restorations to PSN services, and while the company was testifying before Congress on its network breaches. Hacker group LulzSec breaches Sony Pictures and dumps a trove of 150,000 records, with claims the full database contained more than 4.5 million records. LulzSec states “SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”
June 3, 2011
Sony begins releasing its “Welcome Back” package of freebies to users. LulzSec posts on its Twitter account that users should blame Sony for their being able to breach its networks. “I hear there’s been some funny scamming with jacked Sony accounts. That’s what you get for using the same password everywhere,” they stated. “Hey innocent people whose data we leaked: blame @Sony.” Sony Pictures releases a statement saying “We deeply regret and apologize for any inconvenience caused to consumers by this cybercrime.”
June 4, 2011
A Lebanese hacker breaches the user database of Sony Europe, compromises 120 user accounts. According to Sophos, this marked the 13th breach of Sony networks.
June 5, 2011
A hacker defaces the Sony Music Brazil website. The message states, in part, “Hacked The UnderTaker, Return The Legend Ottoman-Empire.”
June 6, 2011
After hacking Sony again, LulzSec releases the source code of the Sony Developer Network.