Anatomy of a Breach

Anatomy of a Breach: Sony PlayStation Network — 77 Million Accounts and 23 Days of Darkness

> series: anatomy_of_a_breach —— part: 028 —— target: sony_playstation_network —— accounts: 77,000,000 —— downtime: 23_days<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2011 14 min read
data-breach sony playstation-network gaming ico-fine credential-theft application-security series
Breach #028

77 million accounts. 23 days offline. The attack 'could have been prevented.'

On 20 April 2011, Sony took the PlayStation Network (PSN) offline after detecting unauthorised activity on its network. Six days later, Sony confirmed what gamers worldwide feared: the personal data of approximately 77 million PSN accounts had been compromised. The stolen data included names, addresses, email addresses, dates of birth, PSN login credentials, and — for an undisclosed subset of users — credit card numbers and expiry dates.

The PlayStation Network remained offline for 23 days — an eternity for the gaming community and a commercial catastrophe for Sony. The total cost of the breach was estimated at $171 million. The UK's Information Commissioner's Office fined Sony £250,000, finding that the attack 'could have been prevented' if Sony had implemented known security measures. The ICO specifically noted that Sony's software was not up to date, that known vulnerabilities had not been patched, and that passwords were not adequately protected — failures that a routine penetration test would have identified.

The Vulnerabilities
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

What the ICO found Sony had failed to do.

The ICO's enforcement notice was unusually specific about the security failures that enabled the breach. The findings read like a penetration test report — and they describe vulnerabilities that our testing identifies routinely.

ICO Finding What It Means
Software was not up to date Known vulnerabilities in the Apache web server software running PSN were not patched. Vulnerability scanning identifies missing patches, and Cyber Essentials mandates a 14-day critical patching window under Danzell.
Known vulnerabilities not addressed The specific vulnerabilities exploited by the attackers were publicly known and patches were available. This is the definition of a preventable breach — and the exact scenario our infrastructure penetration testing is designed to identify.
Passwords not adequately protected User passwords were not hashed using an appropriate algorithm. Weak password storage means a database breach exposes credentials in a usable form. Our password cracking assessments evaluate password storage security.
No firewall between web servers and database The database containing 77 million user records was accessible from the compromised web server without adequate network controls. Infrastructure testing validates network segmentation between application tiers.
The Fallout

23 days offline and a $171 million lesson.

23 Days Without Service
PSN's 23-day outage was unprecedented for a consumer service of its scale. The downtime affected not just gaming but also streaming services, online purchases, and the PSN Store. Revenue loss, customer compensation (including free games and identity theft protection), and infrastructure rebuild costs totalled an estimated $171 million.
ICO Fine: £250,000
The UK ICO's £250,000 fine — the maximum available at the time — was accompanied by an enforcement notice detailing specific technical failures. Under GDPR, which was not yet in force, the fine could have been 4% of global turnover — approximately $2.8 billion based on Sony's 2011 revenue.
77 Million Users at Risk
The scale of the breach — 77 million accounts in a single incident — set a record that stood for years. Users were advised to change passwords on any service where they had reused their PSN credentials, triggering cascade concerns similar to the <a href="/blog/anatomy-of-a-breach-2010-year-review">Gawker credential-stuffing wave</a>.
Sony's Security Posture Was Publicly Shamed
The ICO's statement that the breach 'could have been prevented' was devastating for Sony's reputation. It established a precedent: regulators would publicly state when breaches resulted from negligent security practices, not just sophisticated attacks.
Lessons

The breach that was entirely preventable.

The Sony PSN breach is the case study for preventable breaches. Every vulnerability the ICO identified — unpatched software, known vulnerabilities, weak password storage, absent segmentation — is a standard finding in penetration testing. Had Sony commissioned a web application test and infrastructure assessment of the PSN platform, these vulnerabilities would have been found and remediated before the attackers found them.

For any organisation operating a platform with millions of users, the Sony breach establishes the minimum: regular penetration testing, vulnerability scanning, prompt patching (now mandated by Cyber Essentials Danzell), strong password hashing, and network segmentation between application tiers. SOC in a Box provides the continuous monitoring that detects intrusions before they reach the database. And UK Cyber Defence provides the incident response capability for when a breach is discovered.

Prevent the Preventable

The ICO said it 'could have been prevented.' Can you say the same about your platform?

Our <a href="/penetration-testing">penetration testing</a> finds the unpatched software, the weak password hashing, and the missing segmentation before an attacker does — and before the ICO tells you it was preventable.

Commission a Penetration Test Next: Lockheed Martin
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 November 2011

Anatomy of a Breach: Steam — 35 Million Gamers' Data Compromised

Breach #035. In November 2011, Valve Corporation disclosed that hackers had breached Steam — the world's largest digital gaming platform — and gained access to a database containing the personal information of approximately 35 million users, including usernames, hashed passwords, email addresses, billing addresses, and encrypted credit card information. The breach followed a DDoS attack on the Steam forums and demonstrated that gaming platforms, with their enormous user bases and stored payment data, were high-value targets.

data-breach steam
11 min read
Anatomy of a Breach 31 October 2015

Anatomy of a Breach: TalkTalk — The SQL Injection Heard Around the UK

Breach #082. On 21 October 2015, TalkTalk disclosed a 'significant and sustained' cyberattack that compromised the personal data of approximately 157,000 customers — including 15,656 bank account numbers and sort codes. The attack exploited a SQL injection vulnerability in a legacy web application that TalkTalk had acquired through its purchase of Tiscali. CEO Dido Harding appeared on live television unable to confirm whether the data was encrypted. A 15-year-old and a 16-year-old were among those arrested. The ICO fined TalkTalk £400,000 — and the breach became the UK's defining cybersecurity incident of 2015.

data-breach talktalk
14 min read
Anatomy of a Breach 30 September 2015

Anatomy of a Breach: Carphone Warehouse — 2.4 Million Customers and an ICO £400,000 Fine

Breach #081. In August 2015, Carphone Warehouse disclosed that attackers had gained unauthorised access to the personal data of up to 2.4 million customers and 90,000 encrypted credit card records through a division running the company's online services. The ICO later fined Carphone Warehouse £400,000 — its largest fine at the time — for systemic security failings including outdated software, inadequate testing, and lack of rigorous security measures. The breach came just two months before the TalkTalk attack would dominate UK headlines.

data-breach carphone-warehouse
12 min read
All Posts Get in Touch