Sony has finally come clean about the ‘external intrusion’ that has caused the company to take down the company’s online PlayStation Network, and the news is almost as bad as it can possibly get.
Sensitive personal details of tens of millions of internet users have been stolen by hackers in one of the biggest ever cases of data theft, it has emerged.
In a post to the official PlayStation blog Tuesday afternoon, Sony of America’s director of communications said that “an illegal intrusion” in their system has caused a “compromise of personal information.”
While they don’t believe credit card information was taken, they say that hackers may have taken names, addresses, e-mails, birthdates and passwords among other things of around 77 million customers.
The network provides online video gaming services and allows streaming of films and music via the internet. It requires members to submit credit card and personal details to subscribe.
PlayStation Network members have also endured a week without online gaming access after the Japanese giant pulled the plug on the service last Wednesday and has spent the past week investigating the breach.
On Tuesday gamers grew increasingly irate as news of the data theft spread, wondering why it had taken Sony six days to reveal that personal information had been taken.
“You waited a week to tell us our personal information was compromised? That should have been said last Thursday,” wrote one angry gamer in a comment under the PlayStation blog post.
Another agreed: “This update is about 6 days late. I think it is time to move to the other network, no regard for customers here.”
In response to the growing criticism, Sony issued a follow-up statment on Tuesday evening clarifying that they did not know that personal data had been taken until Monday: “There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised.”
“We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.”
“It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.”
Experts described the security breach as a “nightmare” scenario, which could leave millions of PlayStation users open to identity and credit card fraud.
The theft is particularly worrying due to the variety of information stolen and because many people use the same passwords for all their online services such as email, internet shopping and online bank accounts.
It also comes as an embarrassment to Sony and could deal a severe blow if customers lose confidence in its security systems.
In a statement to be emailed to millions of PlayStation Network users worldwide, Sony warned: “We believe that an unauthorised person has obtained the following information that you provided: name, address, country, email address, birth date, PlayStation Network/Qriocity password and login.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.”
Sony on Tuesday also posted a Frequently Asked Questions page vaguely addressing reader questions such as who might be behind the hack attack, whether PSN users would be getting any money back and addressing a related attack at Sony Online Entertainment.
Online security experts last night said the revelation could deal a “devastating blow” to Sony and questioned the company’s monitoring of threats to its systems.
Graham Cluley, senior technology consultant at Sophos, a security and data protection service, said: “This certainly ranks as one of the biggest data losses ever to affect individuals.
“This is not just a nightmare for Sony, but also worrying news for the millions of people who use the network. Once again users will have their confidence shaken by a major company losing their personal information.”
Though it is by no means uncommon for user data to be stolen by hackers, this is one of the largest and most high profile online data thefts to come to light.
“To be fair, Sony does apologize for the inconvenience. There is still no update on when service will be restored, but that is the least of your concerns if you have a PlayStation Network account,” writes ArsTechnica’s Ben Kuchera.
“It’s time to change your passwords, at the very least, and if you’re like to be completely safe it’s not a bad idea to cancel your credit or debit cards and request replacements.” [PlayStation Blog via The Telegraph (UK), ArsTechnica and In-Game on MSNBC]