Sony says personal data and perhaps credit card information were stolen from tens of millions of users of its online game and movie service, as well as its on-demand digital music service.
Sony Corp. said hackers had obtained personal data, and possibly credit card information, of tens of millions of people who have registered for PlayStation Network, the company’s online game and movie service, as well as Qriocity, its on-demand digital music service.
“This was a big one,” said Bruce Schneier, security technologist and author of “Beyond Fear” and other books on computer security, referring to the number of accounts and the scope of information involved.
As of March 31, Sony had 77 million accounts for its PlayStation Network service, which links users via the Sony PlayStation 3 video game console to download games and tap into online services such as Netflix’s video streaming service.
Not all accounts are active, and it’s possible that one person can have multiple accounts.
Hackers who gained access to personal information last week were able to steal names, addresses, phone numbers, user names, birth dates, email addresses and passwords, Sony said. The company said it did not know whether credit card information was stolen.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility,” Sony PlayStation spokesman Patrick Seybold wrote on the company’s blog. “If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
Sony last week shut down its PlayStation Network service, saying it had been the target of an “intrusion,” but did not release details until Tuesday.
The delay drew criticism from Sen. Richard Blumenthal (D-Conn.), who fired off a letter to the president of Sony’s PlayStation business in the U.S., Jack Tretton, saying he was “troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.”
“We learned there was an intrusion April 19 and subsequently shut the services down,” Sony spokesman Patrick Seybold said. “We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until [Monday] to understand the scope of the breach. We then shared that information with our consumers and announced it publicly [Tuesday].”
Schneier said such attacks aren’t unusual and that few consumers are permanently damaged from any resulting identity theft.
“This happens a lot, and there’s nothing you can do about it,” Schneier said. “You might be screwed, but you’ll basically be OK.”
Meanwhile, Sony said it plans to get parts of its PlayStation Network back up “within a week.”