Sony considering bounty for PSN attack

Sony is reported to be considering offering a reward for information leading to the arrest and prosecution of those behind the recent breach of its PlayStation Network (PSN).

Sony is reported to be considering offering a reward for information leading to the arrest and prosecution of those behind the recent breach of its PlayStation Network (PSN).

The Wall Street Journal's All Things Digital reported today that a bounty is one of several options Sony is considering to try and get information on the hackers responsible for the intrusion.

No final decision has been made yet, and the company could still drop the plan entirely, the report, which quoted unnamed sources, said.

Discussions on the pros and cons of offering a bounty are ongoing and will require approval from Sony's executive team in Japan, the report said.

If the plan does move ahead, Sony will work with the FBI and other international law enforcement authorities to offer the reward, it noted.

The reward apparently is just one of the options Sony is considering as it works with law enforcement to track down the perpetrators.

Sony did not respond to a request for comment on the bounty that it is allegedly considering.

Sony's PlayStation Network has been offline since April 20th following a malicious intrusion. The breach compromised the names, addresses, birth dates, purchase histories, online IDs and in some cases credit card data, of 77 million subscribers to PSN and its Qriocity service, the company said.

Sony disclosed the breach more than six days after it had abruptly shut down PSN. The breach has become a high-profile example of the challenges companies can face when investigating sophisticated cyberattacks.

In a letter to Senator Richard Blumenthal (D-CT) last week, Kazuo Hirai, president and group CEO of Sony Computer Entertainment, offered one of the most detailed timelines of the breach yet.

The letter was sent in response to a demand from Blumenthal seeking more information from Sony on what exactly had happened, and why the company had delayed notifying consumers about the breach.

Hirai said Sony first encountered problems with PSN on April 19, when several of the 130 servers running the network, began unexpectedly rebooting themselves. The unusual activity prompted network engineers from Sony Network Entertainment America to immediately take four servers offline and begin an inspection of the systems.

On April 20, the team recruited more people into its internal investigation team and quickly discovered that an intruder had broken into the network. That same day, investigators discovered that six other servers had also possibly been compromised.

The company hired an external security team to mirror the servers and conduct a forensic analysis of the systems. As the size and scope of the attack began emerging, Sony hired a second forensics team and then a third company to help assist the company with its investigations.

Hirai said investigations showed that the intruders had used "very sophisticated and aggressive techniques" to access the systems and then hide their tracks. "Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network."

It took investigators until April 25 to figure out what personal data exactly might have been taken, but even at that point the company did not know for sure if credit card data had been compromised, Hirai said.

Despite this fact, Sony decided to inform consumers about the potential compromise of their credit card data on April 26, because it wanted to make sure it was complying with all relevant state breach notification requirements, he said.

On May 1, more than 10 days after it first discovered the intrusion into PSN, investigators discovered that data had also been stolen from the Sony Online Entertainment. That discovery prompted a shut down of the service on May 2.

In all, a total of 12.3 million active and expired credit cards, including about 5.6 million in the U.S., were potentially exposed, Hirai said.

The breach at Sony Online Entertainment resulted in the potential theft of account information belonging to 24.6 million account holders. That breach potentially exposed data on 12.700 credit cards and another 10,700 debit cards, all belonging to non-U.S. customers.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about data security in Computerworld's Data Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)