Nearly two weeks after being the subject of one of the largest data breaches in business history, the PlayStation Network will go back online this week, Sony announced Sunday morning.
The company, which says the service restoration will be a phased one, also discussed several new security enhancements, as well as a program meant to encourage gun shy users to return to the PSN.
"We would like to extend our apologies [to those] who we inconvenienced and worried because we potentially compromised their data,” said Kazuo Hirai, executive deputy president of Sony (and widely considered to be the chief candidate to replace CEO Howard Stringer at some point). “We offer our sincerest apologies."
By the end of the week, Sony plans to restore online game-play access for both the PlayStation 3 and PSP portable gaming device, along with user access to accounts, online movie and music streaming and chat functionality.
That’s bound to make core gamers happy, but many of the 77 million people whose information was illegally obtained by hackers are still worried that their credit card information might have been compromised as well. Sony says that data was encrypted, but acknowledged that it did have 10 million accounts with credit card information on file.
"We take the security of our consumers' information very seriously and are committed to helping our consumers protect their personal data," said Hirai. “The organization has worked around the clock to bring these services back online, and are doing so only after we had verified increased levels of security across our networks."
While there have been no proven incidents of credit card data being used by the intruders, Sony says it will help users enroll in identity theft protection services.
To guard against future attacks, Sony said it intends to accelerate a previously planned move of the PSN data from its San Diego data center to a more secure (and undisclosed) location. Also in the works are enhanced detection capabilities for attacks, added layers of encryption and data protection and additional firewalls.
To minimize immediate troubles, users who log onto their PSN accounts will be forced to change their password – and will only be able to do so from the same PS3 in which the account was created or via validated email.
The company is also creating a new position of chief information security officer, to oversee future security enhancements and guard against future attacks.
Sony says the data breach occurred at some time between April 17 and 19 and was the work of a "highly sophisticated attack by a skilled intruder," who "took steps to cover his tracks". The company has called in three private security firms to investigate the intrusion. Additionally, it has requested the FBI conduct a criminal investigation into the attack.
In an effort to bring users back to PSN, Sony plans to launch an incentive program when the service once again becomes available later this week, offering selected free content as well as 30 free days in the company’s PlayStation Plus subscription service as well as 30 free days in its Qriocity Music streaming service.
Responding to criticism that it waited too long before revealing the extent of the security breach – and that the company was slow in responding to the attack, Hirai noted that shutting down the PlayStation Network system took "more time than expected" and the internal data analysis took "more time than we had hoped". However, he added, the delay in announcing the extent of the breach was due to the company wanting to have the full story before talking publicly.
Beyond the impact to consumers, the data breach may cost credit card lenders more than $300 million in card replacement costs, say analysts.
Additionally, should the hackers managed to break the encryption on the 10 million card numbers, it could result in substantial losses for retailers.
"For the banks and credit card companies, it will be a major hassle, but the fraud that happens as a result of data that is stolen from an e-commerce provider accrues to the retailers," says Avivah Litan, vice president and distinguished analyst at Gartner. "If Sony had been a retailer who had physical card data, (credit card companies and banks) would fine Sony for it, but when it happens to an e-commerce firm, all of the costs go to the retailers, and the banks protect themselves."