Feeds

Sony says data for 25 million more customers stolen

Bleeding continues with Sony Online Entertainment hack

SANS - Survey on application security programs

Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.

The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn't address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.

Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don't believe was accessed.

The warning came a day after Sony closed the SOE's Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”

Combined with a previously reported hack on the company's PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn't supplied the same crucial details.

For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday's press release from Sony said.

The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn't said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.

The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn't disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony's network.

The revelation, two weeks after the attack was discovered, that SOE was also penetrated further supports assessments that this breach was extraordinarily deep. No wonder Sony is looking for a senior application security analyst to join its team. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.