Sony has been coming under fire today after it revealed the severity of the PlayStation Network breach. Sony alerted customers that their PSN/Qriocity logins, IDs, email addresses, purchasing history and possibly credit card information had been stolen during the hack. This led many to criticize Sony for not alerting customers earlier. Senator Blumenthal of Connecticut sent a letter to SCEA president Jack Tretton asking this very question. Sony is now saying it didn’t withhold information from its customers.
In a statement released this evening, Patrick Seybold, Sr. Director, Corporate Communications and Social Media, said Sony didn’t know the extent of the hack until Monday. It was aware that there was an intrusion last week and decided to consult outside experts to assess the damage.
Here is the full statement:
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.
It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.
This would explain why we didn’t hear about the account thefts until today, but something about this statement doesn’t add up.
The email Sony is sending to customers says,”We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.”
Now Sony says it learned of the intrusion on April 19, and didn’t know about any compromised accounts until its experts conducted “several days of forensic analysis.”
Which is it Sony? Did you know about compromised accounts between April 17 – April 19, or April 25?
Edit: There’s also the possibility that Sony means that all the thefts occurred within two days and it didn’t know about compromised data until yesterday. That would make much more sense. That still doesn’t excuse the lackluster security within the network.