Sony says data for 25 million more customers stolen
Bleeding continues with Sony Online Entertainment hack
Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.
The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn't address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.
Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don't believe was accessed.
The warning came a day after Sony closed the SOE's Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”
Combined with a previously reported hack on the company's PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn't supplied the same crucial details.
For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday's press release from Sony said.
The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn't said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.
The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn't disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony's network.
The revelation, two weeks after the attack was discovered, that SOE was also penetrated further supports assessments that this breach was extraordinarily deep. No wonder Sony is looking for a senior application security analyst to join its team. ®
You sure a bit of prosecuting of Sony wouldn't concentrate their minds a bit if it was found that their measures were inadequate?
(Hardware hacker != Professional mega-breacher) != !cause_and_effect
Sony used the expensive litigation to bully the PS3 hacker into submission, irrespective of the law.
Anonymous (understandably) took exception to this and threatened Sony.
Sony were therefore expecting a huge DOS.
An ideal time for a criminal hack, because Sony would likely misinterpret the seriousness.
The only question is whether this was already planned and just had lucky timing, or was planned as a result of the situation.
How long will it be before...
Sony publishes their end of year figures and points to a massive drop in profits which they will blame on piracy and hacking rather that their own lack of a creditable IT Policy.
American companies have Sarbanes Oxley which can lead to jail time if not adhered to.
Sony has a policy which they just make up as they go along.
Not a Sony customer and certainly not likely to be in the future.
Remember to vote everybody or things will never change.