Sony presented evidence to the US Congress yesterday in the form of a letter that contained some detail of the PSN/SOE hacks including a timeline, but also some fascinating facts and figures regarding the 77 million user accounts on PSN.
First up, the network detail:
"The PSN is a complex network, consisting of approximately 130 servers, 50 software programs and 77 million registered accounts."
In response to the direct question, "How many PSN account holders provide credit card information to Sony Computer Entertainment?" Congress was informed:
"Globally, approximately 12.3 million account holders had credit card information on file on the PlayStation Network system. In the USA, approximately 5.6 million account holders had credit card information on file on the system."
The letter continued, "These numbers include active and expired credit cards."
While only 12.3 million people have added credit card details, however, Sony's letter does state that, "Information appears to have been stolen from all PlayStation Network user accounts, although not every piece of information in those accounts appears to have been stolen. The criminal intruders stole personal information from all of the approximately 77 million PSN and Qriocity service accounts."
The letter also provides a timeline of events:
April 19th 2011 at 4:15pm PDT - "...several PSN servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network", "...members of the Sony Network Entertainment America Network Team (SNEANT) detected unauthorised activity system...".
April 20th (Early Afternoon) - "SNEANT discovered evidence that an unauthorised had occurred and that data of some kind had been transferred off the PSN servers without authorisation...", "SNEANT retained a recognised security and forensic consulting team to mirror servers to enable forensic analysis to begin..."
April 21st - "Sony retained a second recognised computer security and forensic consulting firm to assist in the investigation..."
April 22nd (Afternoon) - the 'team' "completed mirroring of nine of the 10 servers that were suspected of being compromised."
April 22nd - "SCEA's general counsel provided the FBI with information about the intrusion... a meeting was set up for Wednesday April 27th 2011."
April 23rd (Evening) - "the forensic teams were able to confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorised access, hide their presence from the system administrators, and escalate privileges inside the servers."April 25th - "the forensic teams were able to confirm the scope of the personal data that they believed had been taken but could not rule out whether credit card information had been accessed."
April 26th - "SCNEA and SCEA notified consumers
that their personal information had been taken and that the companies could not rule out the possibility that credit card data had been stolen as well."
April 27th - "SCNEA also notified regulatory authorities in the states of Hawaii, Louisiana, Maine, Massachusetts, Missouri, New York, North Carolina, South Carolina, Virginia and Puerto Rico of the criminal intrusion described above."
Sony's official timeline to Congress ends here. We've also noticed, however:May 3rd - Sony releases information regarding theft of Credit Card information to the public via PSBlog.
We, like everybody else, are going over that letter with a fine-toothed comb.