They Knew For 6 Days: The PlayStation Network Hack Timeline

According to details from Sony themselves in a letter to congressional subcommittee, Sony was aware that data had been removed from their systems six days before warning customers that accounts had been compromised. All dates and times from Sony's missive to Congress.

April 19, 2011. 4.15pm PDT – Sony Network Entertainment America (SNEA) network team detects unauthorised activity in the network of 130 servers. Specifically, machines were "rebooting when not scheduled to do so". Analysis begins.

April 20, 2011. Early Afternoon – SNEA engineers discover evidence of "unauthorised intrusion" and that data had been removed with PlayStation Network servers. PlayStation Network shut down by engineers, taking 77 million registered PlayStation Network and Qriocity accounts offline. Sony retains service of computer security and forensic consulting firm.

April 21, 2011 – Sony retains services of second computer security and forensic consulting firm.

April 22, 2011 – Nine of 10 compromised servers are mirrored by Sony and security firms. Sony Computer Entertainment America (SCEA) general counsel provides FBI with information about the intrusion. A meeting with the FBI is scheduled for Wednesday, April 27th, 2011.

April 23, 2011. Afternoon – Forensic teams confirm that intruders used "very sophisticated and aggressive techniques to obtain unauthorised access, hide their presence from system administrators, and escalate privileges inside the server."

April 24, 2011. Easter Sunday – Sony retains additional forensic team with "highly specialised skills" to "determine the scope of the data theft".

April 25, 2001 – Teams confirm account details compromised, including name, address, country, email, birthdate, PlayStation Network/Qriocity password, login, handle and network ID, but remain unsure if any of the 12.3 million global credit cards stored on the servers were compromised.

April 26, 2011 – Sony Network Entertainment and Sony Computer Entertainment America provide public notice of the intrusion and alert regulatory authorities in New Jersey, Maryland and New Hampshire.

April 27, 2011 – SCEA alert regulatory authorities in Hawaii, Louisiana, Maine, Massachusetts, Missouri, New York, North Carolina, South Carolina, Virginia and Puerto Rico.

May 3rd, 2011 – Sony Chairman Kaz Hirai sends letter to Congressional Subcommittee on Commerce, Manufacturing, and Trade explaining details of intrusion.


Comments

    But the confirmation of what details were taken was made on the 25th. People were notified the next day. They could hardly announce what data was taken when there was still an investigation going on.

      Completely agree, there is a difference between knowing "something" was taken, compared to what "specifically" was taken.

      Making an announcement stating that data was taken, but not being able to tell anybody what was taken can simply lead to generating more panic.

      Ditto. They new someone has kicked in the door. They didn't know what (if anything) had been stolen on the 20th.
      There was nothing to report on the 20th, at least, nothing we hadn't already gathered ourselves (PSN is down - something bad happened)

      People finally speaking sense of Sony's actions. Cant say how many time the past week i've been saying this to people as mentioning very general details, without a proper investigation will lead to panic and make the whole process of finding the culprit and restablishing its servers harder. You dont tell a bus load of people that theres a bomb on board, till you assess the situation, implications and plan ahead what has to be done, to ensure nothing or noone is harmed

      Yes, exactly. It drives me insane and has for days that people talk about how "slow" Sony was to tell people. The actuality is that telling peoople can't happen until they actually know what happened, and probably not until they've started actual recovery. Crying an alarm before knowing the extent just creates needless panic.

    Title is vague and very misleading. People are clearly freaked out about credit card fraud and this is the title you use?

    I know you guys need to generate hits, but inciting unecessary fear and anger to do so is a new low for Kotaku.

    'The PlayStation Network Hack Timeline' would have been just fine.

    'They Knew For Six Days'? You might as well have gone with, 'Sony: IT WAS US'.

Join the discussion!