During a press conference in Japan held on Sunday regarding PlayStation Network and listened in on by Gamasutra, Sony's Kaz Hirai and colleagues gave much additional information on the PSN and Qriocity intrusion and shutdown, revealing the FBI has been brought in to investigate a "highly sophisticated attack".
Starting the conference, SCEI head Kazuo Hirai stated: "We would like to extend our apologies [to PlayStation Network and Qriocity users]... because we potentially compromised their customer data. We offer our sincerest apologies."
A trio of Sony executives then explained the timeline for the issues that have brought the PlayStation Network down for more than a week and a half.
The compromised server was located at AT&T's service center in San Diego, California, and run by Sony's SNEI division. Sony discovered an intrusion between April 17th and 19th, and they turned off the service on April 20th. On the same day they engaged a computer security firm to examine the issues.
It was discovered that this was a "highly sophisticated attack by a skilled intruder," who "took steps to cover his tracks". Sony then brought in two extra security firms, the second of which was hired on April 24th.
Because they "could not rule out the possibility" that information had been taken, they told customers on April 26th that their names, passwords and credit card numbers had potentially been copied, notifying the owners of 10 million accounts. The total number of accounts is 78 million, but many of them are duplicates.
While Sony again confirmed that they have no confirmed instances of stolen credit cards from the data, and that the three-digit CVV number was definitely not compromised, the company has asked the FBI for a criminal investigation, and will update "when we have something to share."
So what's next for the company in recovering? Firstly, Sony is moving the data center from San Diego to a new undisclosed location, and is also increasing security "to help defend against new attacks."
In addition, the PlayStation 3 console will have an imminent system software update which will require users to change their PlayStation Network passwords. This can only be changed on the same PS3 that the account was created on, or via a validated email.
Although no credit cards have been proven as misused after the intrusion, Sony says that "we will consider covering the cost of reissues of new credit cards to affected customers if they wish to do so."
In addition, the company will help users to enroll in theft prevention schemes, and the company will also roll out free 'welcome back' packages with selected free content on PlayStation Network. This will include a 30 day membership in PlayStation Plus for all PSN users, and existing PS+ subscribers will get 30 days extra onto their membership.
As for the timeline for rolling the service back online, "within a week" the company will "incrementally restart the services." This will start with "restoration of online gameplay across PS3 and PSP" and PlayStation Network movie playback as well as PlayStation Home, with the next week. The remainder of the services, including PlayStation Store purchasing, will occur sometime within the next month.
Finally, and intriguingly, Hirai commented that "we have also received attacks from Internet group Anonymous," but these may not be related to the other intrusion. The executive noted that the group has publicized personal information about Sony's top management, including family information relating to their children's schools, on the Internet.
He concluded: "These kind of attacks... may not be limited only to Sony," and as a result, the company will co-operate with law enforcement agencies and any other authorities regarding all of these threats to ensure what Hirai called "the safety of a networked society."
In the Q&A, Hirai was asked why Sony did not inform users sooner. Hirai noted that the firm closed PSN to "prevent any spread of the damages" and then hired three companies to analyze the damage, including analyzing "voluminous data". That's why it was necessary for Sony to take action "in a gradual way," according to the executive.
Hirai also noted that stopping the PSN system took "more time than expected," and the data analysis took "more time than we had hoped," but it was because the company wanted to have the full story before coming forward.