Feldon Between April 17 and April 19, 2011, the PlayStation Network, the online service powering the PlayStation 3 and PlayStation Portable consoles, was compromised. Hackers were able to retrieve the personal/customer information of some 77 million PlayStation Network accounts, including as many as 10 million credit card numbers on file for those customers. This was largely viewed as a retaliatory strike against Sony for their prosecution of George Hotz (GeoHot) who publically posted the PS3 Root Keys allowing owners of PS3 consoles to install their own choice of software, including the much ballyhooed Other OS feature which was prominently featured on the outside of the PS3 box, and which allowed users to install Linux on their PS3.
On April 22nd, we were assured that SOE was not affected by this break-in. However, with today’s press release (posted just over 1 hour ago), the curtain surrounding today’s Downtime has been pulled back, revealing that Sony’s woes now fully extend to the SOE Customer Database as well. SOE games, forums, and websites were not taken down in an ‘abundance of caution’, but because the entire customer database may have already been compromised/stolen by hackers.
The press release indicates that customer names, e-mails, and other personal information, including hashed password (which generally CANNOT be decrypted) may have been taken, as well as the bank details of up to 10,700 European customers, and credit card information for another 12,700 European customers from an old 2007 database, however credit card information was stored in a separate database and at this time it is being stated that this was NOT compromised.
Impacted customers will get 30 days free service and 1 day extra for each day that SOE services are unavailable. It is unclear when SOE services will be restored, but realize that the PlayStation Network is now entering it’s 13th day offline (since April 19th), preventing anyone from playing all PS3 games online, including the popular Portal 2 and its much-advertised cooperative play.
From SOE.Com/SecurityUpdate:
As previously announced, we have been conducting an ongoing, thorough investigation stemming from the cyber attack in April and promised to notify you should there be any changes to the situation.
A press release was issued today outlining these details. We will promptly send a customer service notification via email to all of our impacted account holders whose customer data may have been stolen as a result of an illegal intrusion on our systems. This information was discovered less than 24 hours ago and in response, we took down our services until we could verify their security.
SOE is committed to delivering secure, stable and entertaining games for players of all ages and we’re working around the clock to ensure this situation is resolved as quickly as possible. We deeply regret the inconvenience this has caused and appreciate your continued patience and feedback.
Sincerely,
Sony Online Entertainment
The press release:
CUSTOMER SERVICE NOTIFICATION
May 2, 2011
Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
We apologize for the inconvenience caused by the attack and as a result, we have:
1) Temporarily turned off all SOE game services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE’s services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.
We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1 (866) 436-6698 should you have any additional questions.
Sincerely,
Sony Online Entertainment LLC
Sorry, your comment is not correct: credit/debit card and bank account information from non-US customers stored in a database from 2007 were stolen!
Well dam. Seems i’ll need to go find a new MMO to play while sony online retards try and clean up thier mess.
Must be the MMO gods were frowing in my decision to re-up my EQ2 account this weekend after several years away from the game. 🙁 Here’s hoping they can leverage the work done so far over at PSN and we don’t have as much downtime as they’ve had.
Here’s the part that really bothers me:
“Information from an outdated database … may have also been obtained.”
I’m not one of the people affected by that (I’m in the US), but that would really piss me off if I was. Heck, it really irks me even though I’m not affected. What the hell were they doing with outdated personal information on people? Why was it sitting there, waiting to be hacked, instead of having been deleted when it was no longer useful?
Mariel,
Thanks, I corrected my synopsis.
“There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.”
Funny, that sounds familiar… Oh I know, kinda like what they were saying about how SOE could not possibly be affected because it was on a different system than PSN:
Sony Online Entertainment says its customer data is safe http://www.joystiq.com/2011/04/28/sony-online-entertainment-says-its-customer-data-is-safe/
They said that just 3 days before the announcement that SOE had also been hacked.
“Sony takes information protection very seriously…”
Too bad they didn’t take it very seriously *before* this happened. That goes back to keeping an “outdated database from 2007.”
I know companies that operate in Australia must retain written (electronic included) communications for 7 years. In hind sight, they are probably wishing they’d archived that information with very strong encryption on offline media.
Perhaps the US and/or EU require the same thing?
Just got hit with an Amazon phish attempt sent to my e-mail pointing at (URL removed) – guess this is the beginning of the flood.
I’m glad a I”m a lifelock user. If they got my CC and try to use it they go to prison.
Eschia – hahaha. Prison…thats a good one.
Wait, please tell me you’re not being serious.
All Lifelock does is charge you money to tell you you got smacked. Sometimes.
Cheaper and more effective to keep an eye on it yourself. More time intensive too, but that’s how it goes…
@Steve
Look up “lifelock” I’m a member of the service. They will protect me against identity theft and money theft up to 1 million dollars USD. So yes i am being serious. Money and ID theft are serious crimes.
@Eschia — lifelock is a waste. if your ID is stolen your liability is limited under the law. You’re paying for a service that you can pretty much get for free.
If you think your ID has been stolen, contact any of the three credit bureaus and place a fraud alert on your file.