In the midst of investigating and cleaning up a data breach affecting millions of users of its PlayStation Network, Sony is now announcing that the attack also affected servers of its Online Entertainment division.
Whether Sony's bad practices are an act of hubris or simply gross incompetence is hard to discern.
Chester Wisniewski, senior security advisor, Sophos Inc.
The Sony attack, which took place April 16 and 17, brought the PlayStation Network to a halt for more than a week, disrupting 77 million account holders. The Sony security breach exposed credit card information of about 10 million subscribers. In new details, released Tuesday, Sony said an attack also exposed the data of an additional 24.6 million Sony Entertainment account holders.
The company said an affected database includes more than 12,000 non-U.S. credit and debit card numbers and 10,700 debit cards of users in Austria, Germany, the Netherlands and Spain. The credit card data is associated with an “outdated database from 2007,” Sony said.
Information exposed to attackers includes names, addresses, email addresses, birth dates, phone numbers and account credentials. The entertainment giant said account passwords were hashed.
Sony said it has shut down all servers related to its online entertainment services and said it would notify victims via email and compensate customers for service downtime.
In a message posted on its website, Sony apologized to customers for the inconvenience and said it would fully investigate the intrusion. The company said it is also taking steps to strengthen its security and network infrastructure.
“We had previously believed that [Sony Online Entertainment] SOE customer data had not been obtained in the cyberattacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible,” Sony said.
The company said it has no evidence that its main credit card database was compromised. “It is in a completely separate and secured environment.”
In a dialogue between hackers on several forums, hackers are reportedly boasting they have credit card information from more than 2 million Sony customers. In a Q&A posted on the Sony PlayStation Network blog, the company said the entire credit card table associated with the network was encrypted. There is no evidence that credit card data was taken.
A class-action suit against Sony was also recently filed in San Francisco alleging damages from the breach. The complaint seeks payment for damages, payment of credit monitoring fees and refunds from Sony and Qriocity, its movie and game-streaming service provider.
Chester Wisniewski, a senior security advisor for security vendor Sophos, said the latest disclosure may indicate that Sony didn’t know it had additional customer financial data stored on its servers. Wisniewski wrote on the Sophos Labs blog that it was unfortunate that Sony had not taken a few preventative measures to safeguard customer information.
“Whether Sony's bad practices are an act of hubris or simply gross incompetence is hard to discern,” Wisniewski wrote. “Let's hope for the sake of Sony's customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.”