To say things aren’t going well at Sony at the moment is a bit of an understatement. The company is still under heavy pressure regarding the PSN hack – and indeed the network is still down, although core services are supposed to be coming back this week.
Now the company has suffered a second security blow with the revelation that the Sony Online Entertainment (SOE) platform, which provides the likes of MMORPGs and Facebook games, has also been hacked.
Sony had previously said it didn’t believe SOE users had been affected by the attack, but things didn’t look good last night when the service was taken down for “maintenance”.
What had happened was the ongoing investigation into the hacking incident had discovered that the intruders have also obtained customer data from SOE.
Data the hackers got away with includes the user’s name, address (city, state, postcode, country), email address, gender, date of birth, phone number, login name and hashed password (the latter being a specific form of encryption utilising a one-way algorithm).
Furthermore, Sony has confirmed some financial data has been spilled. The hackers also accessed an outdated database from 2007 which contained some 12,700 credit and debit card numbers (and expiration dates) from users outside the US.
10,700 direct debit records were also hoovered up, listing the bank account numbers of customers in Germany, Austria, Netherlands and Spain. All of these users will be notified promptly, Sony says.
As for the main and current credit card database, as with PSN, Sony says that there’s no evidence to indicate this was compromised. Although clearly, it can’t categorically state that it wasn’t rifled through – and of course previously there was no evidence that SOE was hacked.
Apparently the main CC database was stored in a separate and “secured environment” from the outdated details. Quite what the outdated details were being stored for anyway, we’re not sure. Presumably these are cards which have now expired anyway.
Naturally, SOE game services have been switched off, and an external security firm is examining the breach, with steps being taken to strengthen the network as appropriate. Deja-vu anyone? Well, quite.
The advice offered is the same for PSN users. Sony posted: “When SOE’s services are fully restored, we strongly recommend that you log on and change your password.”
“Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.”
It also added that customers should be aware of possible email, phone or postal scams engineered by the miscreants with their stolen details. Folks should also keep a close eye on their financial affairs to ensure nothing is amiss.
To say this is embarrassing coming on the heels of the whole PSN disaster is an understatement. For Sony not to even notice a breach which reportedly occurred before the PlayStation Network debacle two weeks ago is distinctly poor form.
With 77 million PSN users and 24 million SOE, that’s over 100 million customer details exposed now. Heads are likely to roll at some point.
Whether or not credit card details were compromised in either of these attacks, it seems unlikely that many folks will tap in their card details to Sony’s systems in the future without thinking twice about it. Whatever reassuring noises about security are currently being made.