Sony continues to face withering criticism from its gaming customers for cyberattacks that have potentially exposed their financial information. But the disclosure of a second breach has given more credibility to the Japanese technology company’s internal view that the hackers had a level of sophistication that would have been hard for any company to withstand.
Sony on Monday shut down a second network for its gamers, Sony Online Entertainment, and later said that one or more criminals had made off with the credit and debit card numbers or other sensitive financial data of more than 23,000 users of the network.
That is a small proportion of the 24m people who use multiplayer games such as EverQuest on the network. Sony also maintained there was no evidence the intrusion at the main PlayStation Network two weeks ago had involved hackers extracting financial data on its more than 70m players.
“It is an incredibly sophisticated attack,” said one person working with Sony. “The scale is enormous.” The company’s existing database and security providers, which include Oracle, are continuing to sift through data reports to understand how far the hackers have gone.
Because the two online gaming networks share few resources and had separate security structures, Sony should not be faulted for discovering the second breach more than a week after the first, experts said.
“I am not going to indict them for that,” said Jeremiah Grossman, founder of WhiteHat Security. “You can assume it could take them a long time to check the whole system.”
Company executives in Japan said at the weekend that the hackers had broken in through an application server, which processes electronic requests for specific programmes, and established a communications channel. They used that access to attack the database server, and from there reached the store of user passwords and addresses on the PlayStation Network.
Mr Grossman said that suggests the hackers had made use of a technique known as SQL injection, in which the database fails to recognise that it is executing an improper command. That approach is preventable but remains a widely successful method for hackers. Others said SQL injection alone would not have been enough to enter the second network.
“Most probably it was a ‘spear-phishing’ attack that fooled a system administrator into installing an infected piece of software, from where the attackers could pivot to do the rest,” said Alan Paller, research director at the non-profit Sans institute for computer security. “Spear-phishing” refers to an e-mail or instant message that targets a specific person or small group. That has been the dominant method for a spate of intrusions revealed in the past 18 months at companies such as Google and RSA, the security company owned by US data storage group EMC.