Sony has revealed that an earlier security breach it did not notice resulted in hackers making off with the details of another 25 million users, this time those unwise enough to play its MMORPGs, and has also confirmed that tens of thousands of additional card numbers have been stolen.
Sony’s online service Sony Online Entertainment (used for all its MMORPGs, such as Everquest, Star Wars Galaxies, etc.) is the latest to be breached, with all details associated with 25 million users now in the hands of hackers, along with the card details of tens of thousands of users.
Disturbingly, the compromise actually happened days before the PSN was discovered to be hacked (Sony says around the 16-17 of April), but Sony did not notice until May 1st.
Their official announcement is all but identical to the PSN announcement:
Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems.
We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack.
Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
As with the PSN, all SOE services have now been taken offline indefinitely whilst Sony implements proper security. Sony promises a “complimentary offering” to help users protect themselves from identity theft.
The fact that Sony came under intense fire for withholding details of the scale of the PSN leak for many days, whereas in this case they apparently released the details the next day, is sure to raise further questions about the timing of the PSN announcement, which came just after Sony announced its new tablets.
Having lost the details of 102 million customers to hackers in the largest such leak ever, at this stage it is possible that Sony’s reputation as a provider of online services is irrecoverably damaged – something sure to have severe consequences for a company increasingly dependent on the Internet for its business.