Sony involved in major data hack
Warning issued to 77 million users after gaming network outage
Warning issued to 77 million users after gaming network outage
Sony Corporation has warned that hackers may have stolen credit card data from PlayStation users worldwide.
The incident forced Sony to shut down its PlayStation Network for the past week, disconnecting 77 million users.
Sony canít rule out credit card breach
Below is the full text of Sony's blog posting on the PlayStation Network hack and loss of personal data:
Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. The following email has been sent to all PSN registrants; please read the help and support FAQ for more information.
Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network. In response to this intrusion, we have:
1) Temporarily turned off PlayStation Network and Qriocity services;
2) Engaged an outside, recognised security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
Although we are still investigating the details of this incident, we believe that an unauthorised person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorised a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising that your credit card number (excluding security code) and expiration date may also have been obtained.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at uk.playstation.com/psnoutage should you have any additional questions.
Sony Network Entertainment and Sony Computer Entertainment Teams
Sony Network Entertainment Europe Limited (formerly known as PlayStation Network Europe Limited) is a subsidiary of Sony Computer Entertainment Europe Ltd., the data controller for PlayStation Network/Qriocity personal data.
Critical remediation time
Commenting on what could potentially be one of the largest privacy breaches to date, William Beer, a director in PriceWaterhouseCoopers (PwC) information security practice, said: ďThe period after a breach is time-critical in terms of communicating with consumers, regulators and protecting reputation. Increasingly, consumer trust is being tested as more and more personal information is being placed in the hands of companies, but even the most respected organisations that are expected to have water-tight security are being breached as hackers become more sophisticated.
ďAt this point itís important that consumers are on red alert when receiving requests for their personal information. In what might seem like an authentic attempt by the company itself or a credit card supplier to rectify a problem, hackers are increasingly using advanced methods of social engineering to play on peopleís trust and trick them into handing over key nuggets of information.
"Events like this are surrounded by uncertainty and that contributes to the severity of the problem. Targeted companies are uncertain about what has occurred and what their exposures are, while consumers are unclear about the nature of data stolen, and the motivations of the attackers. The implications of a major breach like this for consumers are wide-ranging and require increased vigilance over the months to come.Ē
Third-party services game changer
Considering the impact data breaches such as this can have on banks and credit card providers, Simon Westcott, director in PwCís financial services strategy group, added: "Since 2008, we have seen a reduction in overall credit card fraud of close to 30%, mainly due to the introduction of the chip and pin system and other online security measures. However, the nature of the threat is now changing from 'point of sale' fraud to one perpetrated by hackers stealing large quantities of data. As more people register their credit card details across the web, the risk and cost to the credit card providers becomes ever greater.
"We expect providers to look at ways they can recover the costs of the losses they suffer and ultimately this could be passed on to consumers in the form of increased borrowing costs. We may also see providers imposing stricter security requirements on retailers and seeking to recoup some of the cost from the companies who lost the customers' data in the event these rules are not followed. Providers may also consider levying a premium for additional protection on consumers who use their credit cards online frequently."