SOE Database Compromise News Around the Web

Today’s news that the SOE Customer Database has been stolen has continued to break around the Web from the BBC to Reuters to Nikkei news in Japan.

We have news from:

• Nikkei.com
• ConsumerAffairs.com
• Reuters.com
• BetaNews.com
• CNet
• Wired.com
• PCWorld.com
• ZAM.com
• Yahoo Finance
• PC IGN

From Nikkei.com:

Hackers who targeted Sony Corp. may have stolen personal data for customers from a second online service, bringing the potential number of compromised accounts to over 100 million.Sony Online Entertainment, a San Diego-based subsidiary that makes multiplayer games, said it has suspended access to its services overnight between Sunday and Monday after discovering personal information from 24.6 million accounts had been stolen. The information included names, addresses, birthdates and other personal details.

The company also said a database from 2007 containing credit card numbers and expiration dates on non-U.S. customers may also have been compromised in the attack. Hackers may also have gained access to 10,700 direct debit records of customers in Austria, Germany, Spain and the Netherlands, the company said.

The expansion of Sony’s investigation dramatically raises the fallout from a high-profile breach of its computer records roughly two weeks ago. Last week, the company acknowledged personal information had been stolen from another unit, PlayStation Network, prompting concerns about identity theft and an inquiry from members of the U.S. Congress.

Sony said the shutdown of Sony Online Entertainment, which hosts the popular “EverQuest” role-playing game, was prompted by an expansion of the initial investigation, not a separate attack.

“We temporarily took down SOE’s services as part of our continued investigation into the external intrusion that occurred in April,” said Michele Sturdivant, a Sony Online Entertainment spokeswoman. “This is not a second attack.”

Sony discovered the attack against its PlayStation Network, which allows gamers to play against each other online, between April 17 and April 19. It shut the game service on April 20, prompting outrage among its predominantly youthful user base. A week later, Sony acknowledged personal information for 77 million customers of its PlayStation Network had been stolen.

Engineers and security consultants examining Sony Online Entertainment systems discovered the intrusion of its services on Monday morning, Tokyo time.

From ConsumerAffairs.com:

It’s happened again. Sony has temporarily shut down one of its online computer game networks, saying that hackers may have gained access to personal information for nearly 25 million users.

The latest disruption involves Sony Online Entertainment, which provides multiplayer games for computers. It shut down its service late Monday amid concerns that hackers may have hijacked information including names, addresses and birth dates.

In a notice to its customers today, Sony said: “Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems.  We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack.”

On April 20, the company shut down its PlayStation Network after hackers lifted information on some 77 million users.

The company insists that the latest shutdown is not due to a second hacking incident, and says it believes that the additional 25 million users’ data may have been stolen during the same break-in as the one reported earlier.

From Reuters.com:

Sony disclosed on Monday hackers had stolen the names, addresses and passwords of nearly 25 million more users than previously known less than a day after the Japanese company apologized for one of the worst break-ins in Internet history.

Sony’s latest revelation comes after Sony No. 2 Kazuo Hirai announced measures had been put in place to avert another Playstation-type cyberattack, hoping to repair its tarnished image and reassure customers who might be pondering a shift to Microsoft’s Xbox.

…

The incident that Sony disclosed on Monday also forced it to suspend its Sony Online Entertainment games on Facebook.

Sony posted a message on Facebook saying it had to take down the games during the night.

A Sony spokesman said the Facebook games make money from microtransactions and the sale of virtual goods like costumes and weapons.

It was not immediately clear if the data theft included data from players of Sony games including “PoxNora,” “Dungeon Overlord,” “Wildlife Refuge” on Facebook.

From BetaNews.com:

Sony disclosed on Monday that the continuing investigation into the hack of the PlayStation Network had turned up new problems: its Sony Online Entertainment multiplayer game service was also hacked, and credit card data and bank information obtained.

Customers affected in the SOE breach are outside of the US, Sony says. About 12,700 credit card numbers with expiration dates were disclosed from a breach of an outdated database, and the bank account numbers of about 10,700 users from Germany, Austria, Netherlands and Spain may have also been stolen.”There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment,” the company said in a statement sent to users. It is also an about face for Sony, who at first had believed SOE’s systems were not hacked.

This latest disclosure only seems to suggest that the company may have a serious issue on its hands, and one that could lead to lawsuits by aggrieved customers worldwide. Sony’s statements have been calculated from the beginning: seemingly written by the company’s lawyers likely bracing themselves for a torrent of legal scrutiny.

From CNet.com:

Sony Online Entertainment was taken offline today and the company warned users of the service that their personal data may have been stolen as part of the computer attack that exposed the information of as many as 77 million PlayStation Network accounts two weeks ago.

From Wired.com:

It’s bad news piled on top of bad news for Sony.

Hackers may have stolen the personal information of 24.6 million Sony Online Entertainment users, the company said on Monday. More than 20,000 credit card and bank account numbers were also put at risk. This is in addition to the recent leak of over 70 million accounts from Sony’s PlayStation Network and Qriocity services.

“We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyberattack,” Sony wrote in a statement on its website on Monday.

Sony did not say when its SOE services would be back online.

From PCWorld.com:

Sony Cuts off Sony Online Entertainment Service After Hack

The widely publicized hack of Sony’s computer networks is worse than previously thought, also affecting 24.6 million Sony Online Entertainment network accounts.

Sony — which has kept its Sony PlayStation Network offline for nearly two weeks as it investigates a computer intrusion — took a second gaming network offline on Monday, saying it too appears to have been hacked. It said banking and credit card information belonging to more than 23,000 customers outside the U.S. may have been compromised.

The Sony Online Entertainment network, used for massively multiplayer online games like EverQuest, Star Wars Galaxies and Matrix Online, has been suspended temporarily, Sony said Monday. Add this to the 77 million accounts that may have been compromised last week, and Sony is responsible for one of the largest recorded data breaches.

The entertainment network is separate from the PlayStation Network but both hacks have similar traits, said Mai Hora, a spokeswoman for Sony Computer Entertainment in Tokyo.

In both cases, the stolen data includes customer names, e-mail addresses and hashed versions of their account passwords. That data could be used to spam customers or trick them with phishing e-mails.

and ZAM.com:

As we previously reported, all Sony Online Entertainment services, games, forums and web sites went offline this morning as a result of the recent Playstation Network intrusion. SOE just issued an announcement, and it appears that the personal information of players may have been compromised. Here are the details straight from SOE:

“Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems.  We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.”

SOE goes on to state that there is no evidence that their main credit card database was compromised.  However, SOE is warning customers outside of the United States that credit and debit card information from an outdated database from 2007 may have been obtained. Affected customers will be notified.

SOE warns players to “be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information.” SOE isn’t going to contact you asking for personally identifiable information like your credit card number, so keep that in mind.

So when will the SOE game services be back? “As soon as possible.” You can read the full notice after the jump.

UPDATE: As for compensation, according to the separate press release, “SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down.  It is also in the process of outlining a ‘make good’ plan for its PlayStation 3 MMOs (DC Universe Online and Free Realms).  More information will be released this week.”

and Yahoo Finance:

Sony Corp. said Monday that hackers may have taken personal information from an additional 24.6 million user accounts after a review of the recent PlayStation Network breach found an intrusion at a division that makes multiplayer online games.The data breach comes on top of the 77 million PlayStation accounts it has already said were jeopardized by a malicious intrusion.

The latest incident occurred April 16 and 17 — earlier than the PlayStation break-in, which occurred from April 17 to 19, Sony said.

About 23,400 financial records from an outdated 2007 database involving people outside the U.S. may have been stolen in the newly discovered breach, including 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain, it said.

The outdated information contained credit card numbers, debit card numbers and expiration dates, but not the 3-digit security code on the back of credit cards. The direct debit records included bank account numbers, customer names, account names and customer addresses.

Company spokeswoman Taina Rodriguez said Sony had no evidence the information taken from Sony Online Entertainment, or SOE, was used illicitly for financial gain.

“We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1 we concluded that SOE account information may have been stolen and we are notifying you as soon as possible,” Sony said in a message to customers.

From PC IGN:

Updated Story: A SOE spokesperson provided additional clarification on this security breach in relation to the PlayStation Network breach last month:

While the two systems are distinct and operated separately, given that they are both under the SONY umbrella, there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April.