DHS probing Sony PlayStation network attack

Massive data breach could enable hackers to break into banking and other commercial systems.

The Homeland Security Department, charged with protecting the nation's critical infrastructure, is helping to mitigate the damage from a breach of customer account data on Sony's online video game and entertainment networks that could have affected 77 million users, DHS officials said.

Over a three-day period last week, intruders hacked into user profiles on the PlayStation Network gaming console and the company's music and video service Qriocity, Sony officials disclosed on Tuesday.

"The Department of Homeland Security is aware of the recent cyber intrusion to Sony's PlayStation Network and Qriocity music service," DHS spokesman Chris Ortman said. "DHS' U. S. Computer Emergency Readiness Team is working with law enforcement, international partners and Sony to assess the situation."

While gaming and music networks may not be considered "critical infrastructure," the data that perpetrators accessed could be used to infiltrate other systems that are critical to people's financial security, according to some computer experts. Stolen passwords or profile information, especially codes that customers have used to register on other websites, can provide hackers with the tools needed to crack into corporate servers or open bank accounts.

The PlayStation site states that the perpetrator obtained the names, addresses and birth dates of registered users, as well as their email addresses, network usernames and login passwords. User profile information, such as answers to password security questions and purchase histories, also may have been taken. The company has no evidence that credit card data was stolen but officials said they cannot rule out the possibility.

US-CERT offers victimized companies guidance on service restoration and risk management, as well as recommendations for improving overall network and control systems security. The team also shares information gleaned from investigations with private sector and government cybersecurity specialists to prevent similar strikes elsewhere.

Patrick Burke, senior vice president in the national security sector at SRA International, said Homeland Security's role in a situation such as Sony's is to help companies exchange information about the nature of their losses with customers, the commercial sector and the government as soon as a breach is discovered. "There can't be a fear of retribution," he said.

The public was outraged this week after learning Sony waited until April 26 to tell customers it had detected an intrusion on April 19. The consumer electronics company took down the compromised services around the 20th, reporting on its blog, "We're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information."

"We're all in this together," Burke said. "We all need to understand that. There's an adversary that we're trying to defeat. If we're not going to share information when we're attacked . . . that's gotta get fixed."

As far as the scale of Sony's customer account break-in, the PlayStation hack is outranked by two recent invasions. An intrusion at TJX Companies Inc. that was reported in 2007 exposed data from more than 94 million credit and debit cards belonging to consumers who had shopped at TJ Maxx, HomeGoods, A.J. Wright and Marshalls stores. In 2009, an incursion at Heartland Payment Systems Inc., which processes debit and credit card transactions, compromised about 130 million cards.

The Sony incident "is scary but it's not world-ending scary," said Jerry Brito, director of the technology policy program at George Mason University's Mercatus Center. "We have much more to fear from nuclear weapons and real war."

He does not see a role for DHS to play in damage control.

"Now that this has happened I think it's time for law enforcement to do their jobs and catch the bad guys," Brito said.

FBI officials are involved in the case. "The FBI is aware of the reports concerning the alleged intrusion into the Sony on line game server and we have been in contact with Sony concerning this matter," FBI Special Agent Darrell Foxworth said in a statement. "We are presently reviewing the available information in an effort to determine the facts and circumstances concerning this alleged criminal activity."

The FBI is asking the public to provide information by calling (858) 565-1255 or online through the Internet Crime Complaint Center.

Brito does not expect players to experience extensive financial losses as a result of the PlayStation breach because scammers already had access to this kind of credit card information and personal data on the black market. Sony, however, likely will face lawsuits and may lose customers, he noted.

"Corporate America has not been paying attention to this," Brito said. "All of these private enterprises now have an incentive to make sure this doesn't happen to them. I don't see what the government is going to do extra."