Sony apologises after customer data stolen in PlayStation hack

Sony loses user data in PlayStation hack

Sony has apologised for data theft affecting 77 million users in one of the largest internet security break-ins ever.

The PlayStation Network breach last week allowed the theft of names, addresses and possibly credit card data of the user accounts.

Sony did not disclose the hack until this week, claiming it took "several days of forensic investigation" before it knew data had been compromised and shut down the network.

Users have reacted with fury as Sony made no mention of the network crisis until after it had launched its new tablet computers in Japan this week.

"If you have compromised my credit information, you will never receive it again," read one message on the PlayStation Network blog from user "Korbei83".

"The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you."

An "illegal and unauthorized person" obtained names, addresses, email addresses, birth dates, user names, passwords, logins, security questions and more, Sony said.

Sony has reported the breach to the Federal Bureau of Investigation, while US Democratic Democratic senator Richard Blumenthal has asked Sony to explain why it didn't notify PlayStation owners sooner.

The shutdown of the PlayStation Network prevented owners of Sony's video game console from buying and downloading games, as well as playing with rivals over the Internet.

Sony said it could restore some of the network's services within a week.

The breach may be the largest theft of identity data information on record, said Alan Paller, research director of the SANS Institute.

The PlayStation Network was launched in 2006 and offers games, music and movies to PlayStation console users.

Sony had 77 million registered users as of March 20, almost 90 per cent of them in Europe or the United States.

The breach is a major setback for Sony as the PlayStation franchise is a substantial profit source and remains a flagship product for Sony.

It also overshadow Sony's plans to launch a new hand-held games device, the Next Generation Portable, by the end of the year.

How fast Sony can bounce back depends on a number of factors, said Ricardo Torres, editor-in-chief of Gamespot.com.

"It depends how soon the network comes up, but more importantly how Sony deals with their user base," Torres said.

"Some kind of compensation has to be provided. 'Sorry' doesn't cut it for a lot of consumers at this point."

"The big question that will come up is what they're doing for security."

Sony said children with accounts established by their parents might have had their data exposed.

It said it saw no evidence credit card numbers were stolen, but warned users it could not rule out the possibility.

"Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," Sony said.

Analysts said that while Sony has notified customers of the breach, it had still not provided information on how user data might have been compromised.

"How will the hacker use the info that has been illegally obtained?" said Wedbush Securities analyst Michael Pachter, who estimated Sony generates $500 million in annual revenue from the service.

Sony has hired an "outside recognised security firm" to investigate, and said user account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.

It has declined to comment on whether it was working with law enforcement officials.

Paller said Sony probably did not pay enough attention to security when it was developing the software that runs its network.

In the rush to get out innovative new products, security can sometimes take a back seat, Paller added.

"They have to innovate rapidly. That's the business model," Paller said.

"New software has errors in it, so they expose code with errors in it to large numbers of people, which is a catastrophe in the making."

He suspected the hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony's customers.

They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC.

Sony said its users could place fraud alerts on their credit card accounts through three U.S. credit card bureaus, which it recommended in its statement.

It has struggled for years to control the activities of the hackers who make up a portion of PlayStation's fanbase.

Games fan website PlayStation Lifestyle said earlier this month that a group calling itself Anonymous had conducted attacks on Sony websites and online services as revenge for its attempts to clamp down on hacking.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them

Close