Close
Report Comment to a Moderator Our Moderators review all comments for abusive and offensive language, and ensure comments are from Verified Users only.
Please report a comment only if you feel it requires our urgent attention.
I understand, report it. Cancel

24.6 million SOE accounts potentially compromised

Tue 03 May 2011 7:54am GMT / 3:54am EDT / 12:54am PDT
OnlinePublishing

Ramifications of security breach multiply as 12,700 card details stolen. UPDATE: Sony: Only 900 stolen cards still active

Sony Computer Entertainment

Sony Computer Entertainment is a Japanese videogame company specialising in a variety of areas in the...

playstation.com

Update

Sony has issued a statement to GamesIndustry.biz explaining that only 900 of the 12,700 non-US credit card details stolen were active cards, with the rest of the details being out of date.

Because the database server which contained the details was not a current one, the vast majority of the details stolen will be invalid for use, Sony believes.

Original story

Sony Online Entertainment, the branch of Sony which operates MMOs such as DC Universe Online and Free Realms, has revealed that a further 24.6 million accounts have potentially been compromised in the same security breach which has seen PlayStation Network taken offline for the past fortnight.

The statement came via an announcement on the official SOE website, revealing that both an active and an outdated database server had been ransacked during the security breaches of 16 and 17 April. All servers related to SOE activities have been shut down immediately.

Whilst the 26.4 million accounts which were compromised were from the current database, the outdated server also included payment details. Included in the potentially missing data from that server are "12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain," reads Sony's statement.

"There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible."

Sony's announcement includes the following statement explaining the extent of the breach.

"The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

  • name
  • address
  • e-mail address
  • birthdate
  • gender
  • phone number
  • login name
  • hashed password

"In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

  • bank account number
  • customer name
  • account name
  • customer address

Currently, Sony's compensation plans consist of refunds and subscription extensions, as well as locally organised incentives to join fraud protection schemes.

"SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a 'make good' plan for its PlayStation 3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

"Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region."

The security breach presents a potentially catastrophic event for Sony, but some experts believe that the problem is a result of "inherited apathy" at the company, lax security standards which became more dangerous and less obvious as the company grew ever larger and more Byzantine.

"Personal details such as names and addresses have long been seen as unimportant assets and as an organisation's services grow, the inherited apathy - or insufficient risk assessment - can prevail," Martin Landless of online security firm LogRhythm told GamesIndustry.biz.

"When this information is combined with dates of birth and credit card numbers, the value and potential to lead to further attacks increases exponentially. Even if the passwords were encrypted, the method used may not have been strong enough to ensure they remained secure."

Just over two weeks before the attacks took place, some 200 staff were made redundant across a number of SOE studios - a fact which starkly highlights another of Landless' observations.

"Bearing in mind the 80/20 rule that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?

"One would imagine there would be multiple external perimeters to compromise, and monitoring should have been conducted on these layers. There may not have been so many detection mechanisms within the network for a trusted administrator."

20 Comments

Perhaps we should look into providing LESS information.

Birthdate
Gender
Telephone

Posted:3 years ago

#1

Aleksi Ranta
Product Manager - Hardware

275 127 0.5
What a mess.

Posted:3 years ago

#2
So what is the tally at the moment. I thought it was around 40m users compromised, but Develop reckons its 100m.

Whichever the case, I hope SONY can execute effective damage limitation and come back well from this. Chances are, they will have to rebuild on the trust/confidence with offering more to retain the userbase. And hopefully recoup losses through folks who are able to trust a mroe relaible system (in theory)

Posted:3 years ago

#3

John Donnelly
Quality Assurance

313 38 0.1
Chee 77M from PSN + another 24M from SOE or thats what its looking like from the latest news hitting about the shut down of the SOE portal yesterday.

Edited 1 times. Last edit by John Donnelly on 3rd May 2011 10:38am

Posted:3 years ago

#4
Jeez. Bank account details for direct debit users. Now THAT is a big problem.

Posted:3 years ago

#5

Andrew Goodchild
Studying development

1,253 418 0.3
Although the 77m psn and 24m soe no doubt have some crossover.

Posted:3 years ago

#6
whats 20 drops in a pond of 70 droplets? :)
i guess its still a heck of a leaking faucet to plug

Posted:3 years ago

#7

John Donnelly
Quality Assurance

313 38 0.1
True Andrew but even so its still a staggering number of people who have had alot of personal data exposed before we even talk about the credit/debit card info that has also been obtained.

Those behind the compromise now have a large chunk of the data needed to for identity theft.

Posted:3 years ago

#8

Antony Johnston
Writer & Narrative Designer

112 18 0.2
Notwithstanding Landless' misunderstanding of what "the 80/20 rule" is, his conclusion is probably right. I hadn't considered the timing before, but it does seem rather too coincidental. Yeesh, what a mess.

Posted:3 years ago

#9

Miguel Melo
Software Engineer

65 0 0.0
They sure aren't running out of fans for the stuff to hit.

Posted:3 years ago

#10

Andrew Goodchild
Studying development

1,253 418 0.3
Now we just need to find they have also lost the details they obtained with the spyware they implanted on enhanced audio cds.

Posted:3 years ago

#11

Kingman Cheng
Illustrator and Animator

954 182 0.2
Indeed Dr. Wong, sometimes these things are a bit information overkill.

Posted:3 years ago

#12

Dan Champlin
Studying CIS

1 0 0.0
why do i see a Law suit coming up?

Posted:3 years ago

#13

robert troughton
UK General Manager

222 96 0.4
In fairness to Sony, the whole way that the banks/governments have allowed payment systems to be setup online is completely wrong - and it was only a matter of time before something like this happened... if a company such as Sony can be hacked into so easily, what if hackers targeted all the smaller companies...? And... how secure are other big companies on the internet..? Paypal/eBay? DHL/FedEx? Sky? Steam? ...

The fact is that there needs to be a wide-reaching shakeup of the whole online transaction system...

Companies simply shouldn't be allowed to store all the card information on their own networks - no matter how encrypted they believe the data to be.

Whoever got the data from Sony could be using some pretty damn powerful machines working to break the encryption key used on that data... the potential win from decrypting it is huge... so if the data is sold to the right people, they won't bat an eyelid about putting some very powerful computers - and equally powerful programmers - to work on breaking into it. Not only that... depending on what Sony's encryption system is, god help anyone whose password is an easy dictionary lookup - or, even worse, in the "top 50 passwords" list...

To protect us all from future attacks like this, the banks - or a group above them - should require transactions to come through them. It's in their interests to ensure that their customers' information is secure and that transactions are genuine - so put it in their hands to ensure that it is.

Posted:3 years ago

#14

Sam Maxted
Journalist / Community / Support

155 65 0.4
Those people providing false names / addresses for their MMO accounts don't look so dumb, today...

Posted:3 years ago

#15

Andrew Goodchild
Studying development

1,253 418 0.3
I do wonder why i can register a card on a recreational site and use it ad finitum, but to pay my credit card bills with debit card bills, registered to the same person same adress, I have to go through an extra level of bank security.

Posted:3 years ago

#16

Shaun Farol
Studying Computer Information Systems

40 12 0.3
I wonder. Is Sony somehow except from PCI Compliance?

If they followed the PCI Guidelines something like this should never have happened.

Posted:3 years ago

#17
@ Shaun. I can't imagine any guidelines are foolproof.

Posted:3 years ago

#18

Jason Broad
Quality Assurance

2 0 0.0
An awkward smile crept across my face when I first heard the news. Then I noticed the standard email and realised I had used one of my cards for my sons PSP.
Card and details now changed, just to be safe.
Unfortunately my personal details can not be changed... DoB, address, name, etc...
So card theft and associated fraud is a non issue, but the possibilities of identity theft will be in the shadows for the rest of our life.

Posted:3 years ago

#19

Frederic Eichinger
Web Developer

33 27 0.8
Regarding the fact that Sony has a rather secure network compared to many others and managed to respond quite fast, it is still somewhat weird to see almost 100 M data sets stolen. But not only that, what does this say about the other networks? Some of those are even less secured than Sony's.
These are the times when people should start reviewing their belief in the internet's "anonymity"...

Posted:3 years ago

#20

Login or register to post

Take part in the GamesIndustry community

Register now