This is a timeline of major events associated with the attack on Sony’s PlayStation Network and Qriocity online services.
Dates are given relative to the location the events took place. Sony announcements, released globally, are listed according to their publication in the U.S.
Related stories
PlayStation network hack results in massive-scale identity theft
Catastrophic Playstation breach: Inventory of what you may have lost
Canadians very vulnerable to identity theft, survey shows
Tuesday, April 19
Sony learned its PlayStation Network and Qriocity networks had been compromised. At the time, the company did not announce this. It was subsequently disclosed in a statement issued by the company’s U.S. subsidiary on April 26.
Wednesday, April 20
Sony took its first public step by closing down the two networks, but it didn’t disclose what it already knew: the networks had been hacked. It issued a statement that said, “We’re aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information.”
Thursday, April 21
The company said it was still investigating the cause of the outage and that it would be “a full day or two” before everything was back to normal.
A posting on Sony Europe’s PlayStation blog suggested the networks had been attacked. The posting was later removed, but numerous gaming news outlets reported it as saying, “Our support teams are investigating the cause of the problem, including the possibility of targeted behavior by an outside party.”
Friday, April 22
Sony revealed for the first time the cause of the problems. “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services,”it said in a statement. It offered no details on when services might return to normal.
Hacking group “Anonymous” said in a statement that its core had nothing to do with the attack, but the message left open the possibility that individuals from the group might be responsible. “While it could be the case that other Anons have acted by themselves AnonOps was not related to this incident and takes no responsibility for it,” the statement said. It accused Sony of taking advantage of previous attacks on its network to explain an internal problem with company servers.
Saturday, April 23
Sony said it was having to rebuild its network as a result of the attack. “Our efforts to resolve this matter involve rebuilding our system to further strengthen our network infrastructure,” it said. “Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.”
The company said it was “working around the clock to bring them both back online,” but didn’t say when they might return. “We thank you for your patience to date and ask for a little more while we move towards completion of this project,” the statement said.
Sunday, April 24
For the first time since the problems began, Sony went a day without releasing an update.
Monday, April 25
A spokesman for Sony in Tokyo told IDG News Service a “thorough investigation” was under way. He said the company had not yet determined whether the personal information or credit card numbers of users had been compromised, but that Sony would promptly inform users if it found that were the case.
Computer security experts called in by Sony concluded a breach of consumer data had occurred when the PlayStation Network was hacked. At the time, the company held off on making the announcement until the next day.
Tuesday, April 26
Kaz Hirai, head of Sony’s gaming division, appeared at a Tokyo news conference held to unveil the company’s tablet PCs. Hirai expressed condolences and support for victims of the March earthquake and tsunami, talked about the new tablets and how they could download content from the Qriocity online service, but failed to mention the problems with Qriocity and the PlayStation Network. He left the stage without taking questions, as originally scheduled.
About 12 hours later, Sony released its most detailed statement to date on the hack and confirmed that personal information was stolen. The information included names and addresses for registered PlayStation Network and Qriocity users, along with their birth dates, e-mail addresses and other personal information.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” Sony said. It advised customers to create credit card fraud alerts and keep a close eye on charges made to linked credit cards.
It also said the PlayStation Network and Qriocity would be back online “within a week.”
Wednesday, April 27
Sony shares fell 2 per cent on news of the potentially huge data leak, ending Wednesday trading in Tokyo at 2,366 yen, down 49 yen.
A class-action lawsuit was filed in the U.S. accusing Sony of not taking “reasonable care to protect, encrypt and secure the private and sensitive data of its users.” It seeks monetary compensation and free credit card monitoring.
Sony published a detailed Q&A that clarified credit card information was stored in an encrypted form and added, “we have no evidence that credit card data was taken.” Other personal information was not encrypted.
Thursday, April 28
Sony shares dropped 4.5 per cent in Tokyo, to end the holiday-shortened week at 2,260 yen.
George Hotz, the hacker who received widespread grassroots support after being sued by Sony for posting code that can jailbreak Sony PlayStation consoles, blamed the company’s recent data breach on executive-level arrogance. “The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts,” said Hotz on his blog. “Alienating the hacker community is not a good idea.”
Sony hinted it is considering some form of compensation for users. In a blog posting, it wrote, “We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online.”
Martyn Williams covers Japan and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn’s e-mail address is [email protected]