Sony reports further security breach

Out-Law News | 03 May 2011 | 3:14 pm | 4 min. read

Hackers may have stolen the personal details of 25 million online gamers, Sony has announced.

The company has reported that it has turned off its Sony Online Entertainment (SOE) system after detecting a breach of its security. SOE enables computer gamers to play against one another online.

It is the latest security breach announced by Sony after it revealed last week that the details of 77 million PlayStation Network account holders may have been stolen.

The latest breach affects customers that use PlayStations, PCs or Facebook to register with SOE.

"We are today [Monday] advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password," an SOE statement said.

The Associated Press news agency quoted Sony as saying that the data breach occurred on April 16 and 17. Sony had previously thought that its SOE system had not been hacked into.

Credit card information stored on an old database has also been stolen and affects some customers from outwith the US, Sony said.

"Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly," the Sony statement said.

SOE's main credit card database was not breached, the statement said.

An independent security firm has been instructed to "conduct a full and complete investigation into what happened," Sony said.

The company said it was enhancing its security and strengthening its "network infrastructure to provide you with greater protection of your personal information."
Sony warned that scammers may contact customers under the guise of Sony in an attempt to obtain more information.

"For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking," the statement said.

"When SOE's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well," Sony said.

On 27 April Sony admitted that more than 77 million customers registered with the PlayStation Network (PSN) may have had their personal details stolen. The company turned off its PSN and music streaming service Qriocity on 20 April after discovering an "external intrusion" into the information stored on its databases. PSN allows PlayStation 3 users to log in online and play games against other users live, as well as download games, films and other media.

Information stolen was users' name, address, country, email address, birthday and their username and password login for the PSN.

"It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained," Sony said on 27 April.

Sony has indicated that it hopes to restore customer access to the PSN later this week.

On Sunday three senior Sony executives bowed at a press conference in a traditional Japanese expression of apology for the cyber attacks.

"This criminal act against our network had a significant impact not only on our consumers, but our entire industry," Kazuo Hirai, chief of Sony Corp's PlayStation video game unit, said.

"These illegal attacks obviously highlight the widespread problem with cybersecurity. We take the security of our consumers' information very seriously and are committed to helping our consumers protect their personal data," Hirai said.

The FBI and other criminal investigators are involved in determining the culprit of the cyber attacks on Sony's data centre in San Diego, California, Hirai said.

The Sony data breach is thought to be one of the largest personal information breaches ever.

In 2007 TJX, a discount clothes retailer announced that credit card information had been stolen from more than 45 million customers. TJX own TK Maxx. Anyone who shopped between January 2003 and June 2004 is at risk, TJX said at the time.

Some of the information was stolen by hackers breaking into the wireless networks used to transmit credit card details. TJX said at the time that 75% of the cards had expired or had their numbers blacked out, but did admit that decryption software programs might be able to fill in some of the blacked out numbers.

TJX agreed to pay $40.9m to Visa member banks to compensate them in return for those banks agreeing "to release TJX and its U.S. acquirers from legal and financial liability," according to a statement from Visa and TJX.

Technology law news is also available from Bootlaw, a free resource for technology start-ups, with regular events hosted by Pinsent Masons.