Over the last two months, the multi-national Sony Corporation has come under a wide range of attacks from an even wider range of attackers. The backstory about what event prompted who to attack and why will make a mediocre made-for-TV movie someday. This article is not going to cover the brief history of hacks; readers can find details elsewhere. Instead, the following only serves to create an accurate and comprehensive timeline regarding the recent breaches, a cliff notes summary for easy reference.
Other than Steve Ragan and The Tech Herald, most recent articles about Sony make vague references to ongoing problems, but do not enumerate the full history. This is likely because the past events, while only 45 days old at most, are convoluted and confusing. The table below should serve to fix that, hopefully giving journalists and security professionals a concrete and clear history.
One thing should be noted; the attacks against Sony are not coordinated, nor are they advanced. Sony has demonstrated they have not implemented what any rational administrator or security professional would consider "the absolute basics". Storing millions of customer's personal details and passwords without using any form of encryption is reckless and ridiculous. Even security books from the '80s were adamant about encrypting passwords at the very least. Several of Sony's sites have been compromised as a result of basic SQL injection attacks, nothing elaborate or complex.
If anyone... ANYONE at all uses the term "advanced persistent threat" in describing the attacks on Sony, please hit them very hard before disregarding them as ignorant charlatans hell-bent on serving their own interests. Given the wide variety of attackers (see below), the attacks on Sony can only be described as an uncoordinated effort at best.
That said, welcome to the recently coined term, "Sownage". The state of being thoroughly "owned like Sony is".
| Incident | Date | Site | Stock | Who (allegedly) | Observation |
| 2011-04-04 | Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit | 31.45 | The group Anonymous declares Sony an enemy and begins a DDoS attack against PSN over the 'GeoHot' lawsuit filed earlier in the year. | ||
| 2011-04-20 | Sony PSN Offline | 30.14 | PSN taken offline by Sony due to hack. Network World has a timeline of events related to PSN. | ||
| 2011-04-26 | PSN Outage caused by Rebug Firmware | 29.79 | Sony drops PSN Network due to problems with the 'REBUG' firmware allowing developer access, and rumors of widespread piracy. Initial speculation said the outage was the result of a second DDoS attack by Anonymous. They denied it in a press release saying "for once we didn't do it". | ||
| 1 | 2011-04-26 | PlayStation Network (PSN) Hacked | 29.79 | Anonymous (?) | Sony admits attack took place between April 17 and 19, but did not disclose
until around the 26th. Anonymous blamed by Sony initially, but denies involvement
in hack. Records breached: 77 million names, addresses, email addresses, birthdates, PlayStation Network/Qriocity passwords and logins, handle/PSN online ID, profile data, purchase history and possibly credit cards obtained (DatalossDB Entry) |
| 2011-04-27 | Ars readers report credit card fraud, blame Sony | 29.03 | |||
| 2011-04-28 | Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe |
28.39 | |||
| 2 | 2011-05-02 | Sony Online Entertainment (SOE) hacked SOE Network Taken Offline |
28.80 | (unknown) | Sony Press Release. Records breached: 24.6 million customer dates of birth, email addresses and phone numbers, including 12,700 non-U.S. credit or debit card numbers and expiration dates and about 10,700 direct debit records including bank account numbers (DatalossDB Entry) |
| 2011-05-03 | Sony Online Entertainment (SOE) issues breach notification letter | 28.44 | |||
| 2011-05-05 | Sony Brings In Forensic Experts On Data Breaches | 27.98 | "Data Forte, Guidance Software, and Protiviti will investigate who hacked into Sony's servers and how they cracked the company's defenses." | ||
| 2011-05-06 | Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony | 28.06 | Gene Spafford wrote an article describing his testimony, and how many media outlets misquoted him. | ||
| 3 | 2011-05-07 | Sony succumbs to another hack leaking 2,500 "old records" | n/a | Sony | Note: This information was available via a Sony website and indexed by Google. This was not a "hack" by any means.
File originally found at products.sel.sony.com/shared/santa/dbs/sweepstake.xls (now offline) Records Breached: 2,500 names and partial addresses of 2001 Sony sweepstakes |
| 2011-05-12 | Lawyers take aim at Sony hack, may miss on payout | 28.23 | |||
| 2011-05-14 | Sony resuming PlayStation Network, Qriocity services | n/a | All SOE games/services were down for a total of 24 days. | ||
| 4 | 2011-05-17 | PSN Accounts still subject to a vulnerability | 28.07 | unknown | With this vulnerability, an attacker has the ability to change a user's password using only their account's email and date of birth. Rumors suggest it was being exploited by bad guys. TNW article titled "Not so fast: Sony's PlayStation Network hacked again" is misleading. Sony blog on incident (vulnerability fixed) |
| 2011-05-18 | Prolexic rumored to consult with Sony on security | 27.80 | "got a call from a recruiter who swore some company called prolexic was hired to protect Sony from Anonymous" Update: Prolexic did provide services to Sony, but only for DDoS mitigation. | ||
| 5 | 2011-05-20 | Phishing site found on a Sony server | 27.05 | unknown | (additional article) |
| 6 | 2011-05-21 | Hack on Sony-owned ISP steals $1,220 in virtual cash (So-net Entertainment Corp) | n/a | unknown | (additional article) Records Breached: e-mail and virtual currency of 128 accounts |
| 7 | 2011-05-21 | Sony Music Indonesia Defaced By k4L0ng666 | n/a | k4L0ng666 | No evidence of personal information being compromised. |
| 8 | 2011-05-22 | Sony BMG Greece the latest hacked Sony site | n/a | b4d_vipera | Apparently done via SQL Injection. Pastebin dump Records Breached: 8,500 usernames, email addresses, phone numbers and password hashes (DatalossDB Entry) |
| 9 | 2011-05-23 | LulzSec leak Sony's Japanese Websites | 26.59 | LulzSec | SQL Injection in www.sonymusic.co.jp (article) Sophos says databases do "not contain names, passwords or other personally identifiable information" |
| 2011-05-23 | Sony forecasts a $3.1B loss for FY 2011 due to quake, PSN failure PSN breach and restoration to cost $171M, Sony estimates |
26.59 | |||
| 10 | 2011-05-24 | Sony says hacker stole 2,000 records from Canadian site (Sony Erricson) | 27.90 | Idahc | Sony Ericsson Got Hacked by Idahc - Lebanese hacker via SQL Injection Idahc dumped 1,000 of the cords to http://pastebin.com/4YGAWxQZ (since removed) Records Breached: Email addresses, passwords and names of 2,000 users (DatalossDB Entry) |
| 2011-05-25 | Sony Begins Providing ID Theft Protection for PlayStation Hack | 27.65 | |||
| 11 | 2011-06-02 | LulzSec versus Sony Pictures | 26.54 | LulzSec | Sophos says 4.5 million records exposed. LulzSec
initially thought to target the elderly, but
clarify they dumped the database by DoB and stopped at 1943. Lulz? Sony hackers deny responsibility for misuse of leaked data Records breached: Over 1,000,000 users' passwords, email addresses, home addresses, dates of birth, as well as administrator login passwords. Information taken from AutoTrader users database, Summer of Restless Beauty users database, Sony Wonder coupons database, Sony Wonder music codes database, Seinfeld Del Boca Vista database (DatalossDB Entry) |
| 12 | 2011-06-02 | Sony BMG Belgium (sonybmg.be) database exposed | 26.54 | LulzSec | Records Breached: Email addresses, usernames, cleartext passwords, internal release dates of records, sales reports (DatalossDB Entry) |
| 13 | 2011-06-02 | Sony BMG Netherlands (sonybmg.nl) database exposed | 26.54 | LulzSec | Records Breached: Usernames, cleartext passwords |
| 2011-06-02 | Sony, Epsilon Testify Before Congress | 26.54 | Tim Schaaff, President of Sony Network Entertainment International Witness Testimony (PDF) "Sony Network Entertainment and Sony Online Entertainment have always made concerted and substantial efforts to maintain and improve their data security systems." | ||
| 14 | 2011-06-03 | Sony Europe database leaked | 26.38 | Idahc | Dump of the apps.pro.sony.eu database via SQL Injection Records Breached: 120 names, phone numbers and e-mail addresses (DatalossDB Entry) |
| 2011-06-05 | Latest Hack Shows Sony Didn't Plug Holes | "Group members said their motivation was to show Sony execs weren't telling the truth when they tried to reassure customers they had revamped security to prevent the simple, almost identical exploits that allowed a range of hackers to take over one of its networks after another beginning in mid-April." | |||
| 15 | 2011-06-05 | Sony Pictures Russia (www.sonypictures.ru) databases leaked | unknown | Another SQL injection attack. @LulzSec confirms they did not find it. Records Breached: all (?) databases of Sony Pictures Russia | |
| 2011-06-06 | LulzSec member arrested | Based on a post to Full-Disclosure, rumors that a member of LulzSec was arrested circulated widely. This news was included in several articles that did not validate the information. LulzSec issued a statement saying the news was wrong, and that "ev0" was not a member of the group. Arik Hesseldahl actually contacted a source at the FBI to confirm this and covered the details in an article. | |||
| 16 | 2011-06-06 | LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet) | 25.76 | LulzSec | (additional article #1),
(additional article #2),
LulzSec "press release" on incident Data Leaked: 54meg torrent of Sony Computer Entertainment Developer Network (SCE Devnet) source code |
| 17 | 2011-06-06 | LulzSec hits Sony BMG, leaks internal network maps> | 25.76 | LulzSec | While @LulzSec released the data in one torrent, the group
confirmed the BMG maps did not come from SCE Devnet (tweet since deleted), making this a
distinct and separate compromise. Data Leaked: Sony BMG internal network maps |
| 18 | 2011-06-08 | Sony Portugal latest to fall to hackers | 25.25 | Idahc | Dump of the sonymusic.pt database. Idahc says he found SQL injection, cross-site scripting (XSS) and Iframe injection vulnerabilities in the site. Records Breached: Customer e-mail addresses (DatalossDB Entry) |
| 19 | 2011-06-08 | Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation) | 25.25 | unknown | Through "spoofing", an attacker used 95 accounts to exchange online shopping coupons worth 278,000 points at Sonisutoa (My Sony Club), defrauding Sony of ~ 280,000 yen (~ US$3,500). Sony cannot confirm if e-mail addresses or passwords were leaked. |
| 2011-06-11 | Spain Arrests 3 Suspects in Sony Hacking Case | From the article: "According to a police statement, the suspects are part of Anonymous.." | |||
| 20 | 2011-06-20 | SQLI on sonypictures.fr | 24.28 | Idahc and Auth3ntiq | SQL injection reveals hashed passwords and e-mail addresses. Idahc announced the day before
that the site was vulnerable. Records Breached: 177,172 e-mail addresses (DatalossDB Entry) |
| 2011-06-23 | Class Action Lawsuit Filed Against Sony/SCEA | Suit alleges Sony fired employees in network security weeks before breach | |||
| 2011-06-28 | Sony CEO asked to step down on heels of hacking fiasco | 25.42 | ".. the CEO sidestepped the request and instead pointed out that Sony is hardly the only company to face this kind of cyber assault." | ||
| 21 | 2011-07-06 | Hackers posts fake celebrity stories on Sony site | 26.93 | sonymusic.ie (Ireland) defaced to include the fake stories. | |
| 2011-10-12 | Sony Press Release: 93,000 PSN Account Passwords Compromised | 20.06 | Note: The attack was performed using brute force guessing of accounts. The problem was due to customers using weak passwords. It could be argued that Sony should enforce a stronger password policy. |
Note:
2013
| Incident | Date | Site | Stock | Who (allegedly) | Observation |
| 22 | 2013-??-?? | Sony Corp network infiltrated | Unknown | Unknown attackers compromised the Sony Corporate network, exfiltrated "gigabytes of data" several tiems a week. |
2014 Update!
| Incident | Date | Site | Stock | Who (allegedly) | Observation |
| 23 | 2014-08-24 | DDoS against Sony PlayStation Network | Lizard Squad | According to Hackmageddon, Sony acknowledged a large-scale distributed denial of service (DDoS) attack against the PlayStation Network, Xbox Live, Blizzard's Battle.net, and Grinding Gear Games. The attack against Sony apparently lasted a few hours before service was restored. In addition to the DDoS attack, Lizard Squad allegedly made a bomb threat against American Airlines to divert the flight of a Sony Online Entertainment executive. | |
| 24 | 2014-11-25 | Large-scale Intrusion and leaked documents | 21.60 | Guardians of Peace (GOP) | Another incredibly far-reaching in-depth compromise of Sony Pictures has happened, this time by a group known as the Guardians of Peace (GOP). The new compromise has all of the excitement of the old events and more, as blaming North Korea for the attack in retaliation to a movie being released by Sony Pictures is all the rage. Risk Based Security has been keeping an updated timeline of the breach, analyzing the leaked documents, and providing links to additional information. We will rely on their resource instead of updating ourselves. |
Given the recent testimony from Tim Schaaff, President of Sony Network Entertainment International, one may be led to believe that Sony has been proactive in their digital security. Schaaff told the Subcommittee on Commerce, Manufacturing and Trade, part of the House of Representatives Energy & Commerce Committee, that "Sony Network Entertainment and Sony Online Entertainment have always made concerted and substantial efforts to maintain and improve their data security systems." Looking at a brief, and very likely incomplete, history of Sony's hacking problems, this statement seems absurd.
Schaaff goes on to say "The attack on us was, we believe, unprecedented in its size and scope." With the string of recent high-profile attacks against Lockheed Martin, RSA Security, and HBGary Federal (by the same group allegedly involved in the Sony PSN hack), this comment seems disingenuous. Further, between 2001-02-05 and 2001-05-05, Sony was attacked and compromised 11 times. While this is a slightly bigger time frame than the recent activity (2011-04-17 to 2011-06-02), given the first run was in 2001 and attacks were arguably less frequent (while defacements were considered high profile and got a lot of attention), can Sony really back up this comment?
| Date | Description |
| 1999-11-28 | Sony Panama website defaced (Requires Auth) |
| 2000-11-29 | Sony Switzerland website defaced (Requires Auth) |
| 2000-12-22 | Sony Mexixco website defaced (Requires Auth) |
| 2001-01-01 | SonyStyle Mexico website defaced (Requires Auth) |
| 2001-01-04 | Sony Semiconductor page defaced (www.foundry.sony.com) (Mirror private) |
| 2001-02-05 | Sony Italy website defaced (Requires Auth) |
| 2001-02-18 | Sony Taiwan website defaced (Requires Auth) |
| 2001-02-26 | Sony France website defaced (www.sony.fr) (Mirror private) |
| 2001-02-28 | Sony Korea website defaced (Requires Auth) |
| 2001-03-05 | Sony Malaysia website defaced (www.sony.my) (Mirror private) |
| 2001-03-17 | Sony Chile website defaced (Requires Auth) |
| 2001-03-18 | Sony France website defaced (Requires Auth) |
| 2001-03-27 | Sony Semiconductor website defaced (Requires Auth) |
| 2001-03-29 | Sony Computing Knowledge Base website defaced (Requires Auth) |
| 2001-04-03 | Sony Music Store defaced (Requires Auth) |
| 2001-04-07 | Sony Center Switzerland website defaced (www.sony-center.ch) (Mirror private) |
| 2001-04-08 | Sony Finance Japan website defaced (www.sonyfinance.co.jp) (Mirror private) |
| 2001-04-08 | Sony Music Direct website defaced (www.sonymusicdirect.com) (Mirror private) |
| 2001-04-11 | Sony TrainNet website defaced (Requires Auth) |
| 2001-04-12 | Sony TrainNet Germany website defaced (www.sony-training.de) (Mirror private) |
| 2001-05-01 | Sony TV Brazil website defaced (Requires Auth) |
| 2001-05-05 | Sony India website defaced (Requires Auth) |
| 2001-05-05 | Sony Venezuela website defaced (www.sony.com.ve) (Mirror private) |
| 2001-05-19 | Sony Switzerland website defaced (www.sony.ch) (Mirror private) |
| 2006-05-31 | Sony BMG IT / UK websites defaced |
| 2006-06-06 | Sony Music UK website defaced |
| 2001-06-10 | Sony Thailand website defaced (www.sony.co.th) (Mirror private) |
| 2001-06-22 | Sony Reference Library website defaced (service-asc.sel.sony.com) (Mirror private) |
| 2001-07-05 | Sony Music Store defaced (thestore.sonymusic.com) (Mirror private) |
| 2001-11-15 | Sony Ukraine website defaced (www.sony.ua) (Mirror private) |
| 2002-03-26 | Sony France Headnet website defaced (headnet.csl.sony.fr) (Mirror private) |
| 2006-08-15 | Sony Philippines website defaced |
| 2009-04-21 | Sony New Zealand website defaced |
| 2009-05-13 | Sony Pictures Uganda website defaced |
| 2009-05-28 | Unauthorized copies of customers credit cards were emailed to an outside account |
| 2009-06-03 | Sony Rewards (sonyrewards.com) Breach |
| 2009-06-19 | Sony Music Philippines website defaced |
| 2009-07-31 | Sony BMG Brazil website defaced |
| 2009-07-31 | Sony Music Brazil website defaced |
| 2009-10-15 | Sony Music Korea website defaced |
| 2009-10-15 | Sony BMG Music Hungary website defaced |
| 2009-10-15 | Sony Music Hungary website defaced |
| 2009-12-06 | Sony Photocontest Iran website defaced |
| 2009-12-11 | Sony Walkman India website defaced |
| 2010-03-23 | Sony Pictures Argentina website defaced |
| 2010-03-23 | Sony Music Germany (afh.sonymusic.de) website defaced |
| 2010-05-26 | Sony BMG Netherlands (uc.sonybmg.nl) website defaced |
| 2010-09-19 | Sony Music Store (Celine Dione site) website defaced |
| 2010-09-20 | Sony Music Store (Bob Dylan site) website defaced |
| 2010-11-12 | Sony BMG Brazil website defaced |
| 2010-11-12 | Sony Music Brazil website defaced (Remains defaced until 2011-06-05), defacement removed ~ 2011-06-07 after media attention of the defacement. Site only shows a "You are not authorized to view this page" default IIS page. |
| 2010-12-01 | Sony Club Iran (sonyclub.sony.co.ir) website defaced |
| 2010-12-27 | Sony Iran (babyphoto.sony.co.ir) website defaced |
| 2011-01-17 | Sony PS3 hackers make Modern Warfare 2 'unplayable' |
| 2011-02-01 | Sony Music Czech Republic (sonymusic.cz) website defaced |
| 2011-02-19 | PS3 Hackers Can Now Unban Themselves |
Note: This list is likely incomplete, and just represents a quick search of past Sony activity related to the insecurity of their networks. Events involving vulnerable Sony software or the many rootkit fiascos are not included.
Jun 4 Update: Elinor Mills pointed out the 06/03 Europe database event
Jun 4 Update: Kane Lightowler sent 20 legacy events
Jun 4 Update: Gene Spafford sent a link to his blog about his testimony
Jun 4 Update: Several pointed out Sony rootkit drama. Updated note disclaiming scope of legacy table
Jun 4 Update: @pctservices01 provided link about PS3 Hackers Unbanning
Jun 4 Update: Tuna informs me that Prolexic provided DDoS mitigation services only
Jun 5 Update: Peter Downey provided link about PS3 Hackers / Modern Warfare 2
Jun 5 Update: Added SNE closing stock price for the day of each incident. Idea courtesy Ryan Russell
Jun 5 Update: @LulzSec points out two missing compromises on Jun 6
Jun 5 Update: Sony Music Brazil defacement confirmed as happening ~ 2010-11-12, and remains unfixed since (thanks Kane Lightowler)
Jun 6 Update: Added Network World's timeline for the PSN breach
Jun 6 Update: Added confirmation to Sony Russia, that @LulzSec was not responsible
Jun 6 Update: Added clarification about LulzSec targeting elderly to 6/2 Sony Pictures incident
Jun 6 Update: Added entry to cover the supposed news of a LulzSec member being arrested
Jun 9 Update: Added link to DatalossDB for #14
Jun 9 Update: Thanks to @MasafumiNegishi and @superspryte for translation help
Jun 12 Update: Added original DDoS and REBUG links. Thanks Laurens Vets for REBUG info.
Jun 18 Update: Alldas.de sent us a copy of their defacement mirror from ~ 2001. Updated the legacy list to include a lot of defacements
Dec 8 2014 Update: Added new huge Sony Pictures breach as separate table, since three years later