Sections

24.6 million SOE accounts potentially compromised

Ramifications of security breach multiply as 12,700 card details stolen. UPDATE: Sony: Only 900 stolen cards still active

Update

Sony has issued a statement to GamesIndustry.biz explaining that only 900 of the 12,700 non-US credit card details stolen were active cards, with the rest of the details being out of date.

Because the database server which contained the details was not a current one, the vast majority of the details stolen will be invalid for use, Sony believes.

Original story

Sony Online Entertainment, the branch of Sony which operates MMOs such as DC Universe Online and Free Realms, has revealed that a further 24.6 million accounts have potentially been compromised in the same security breach which has seen PlayStation Network taken offline for the past fortnight.

The statement came via an announcement on the official SOE website, revealing that both an active and an outdated database server had been ransacked during the security breaches of 16 and 17 April. All servers related to SOE activities have been shut down immediately.

Whilst the 26.4 million accounts which were compromised were from the current database, the outdated server also included payment details. Included in the potentially missing data from that server are "12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain," reads Sony's statement.

"There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible."

Sony's announcement includes the following statement explaining the extent of the breach.

"The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

  • name
  • address
  • e-mail address
  • birthdate
  • gender
  • phone number
  • login name
  • hashed password

"In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

  • bank account number
  • customer name
  • account name
  • customer address

Currently, Sony's compensation plans consist of refunds and subscription extensions, as well as locally organised incentives to join fraud protection schemes.

"SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a 'make good' plan for its PlayStation 3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

"Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region."

The security breach presents a potentially catastrophic event for Sony, but some experts believe that the problem is a result of "inherited apathy" at the company, lax security standards which became more dangerous and less obvious as the company grew ever larger and more Byzantine.

"Personal details such as names and addresses have long been seen as unimportant assets and as an organisation's services grow, the inherited apathy - or insufficient risk assessment - can prevail," Martin Landless of online security firm LogRhythm told GamesIndustry.biz.

"When this information is combined with dates of birth and credit card numbers, the value and potential to lead to further attacks increases exponentially. Even if the passwords were encrypted, the method used may not have been strong enough to ensure they remained secure."

Just over two weeks before the attacks took place, some 200 staff were made redundant across a number of SOE studios - a fact which starkly highlights another of Landless' observations.

"Bearing in mind the 80/20 rule that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?

"One would imagine there would be multiple external perimeters to compromise, and monitoring should have been conducted on these layers. There may not have been so many detection mechanisms within the network for a trusted administrator."

Related stories

Vita was simply too late - Tretton

Former SCEA CEO says Sony's latest handheld was a great machine launched when few people wanted a dedicated gaming portable

By Brendan Sinclair

Scorpio is a beast, but Microsoft needs to explain it better

The company needs to find a coherent party line about Scorpio, One S and Windows 10, and stick to it

By Rob Fahey

Latest comments (20)

Perhaps we should look into providing LESS information.

Birthdate
Gender
Telephone
0Sign inorRegisterto rate and reply
Aleksi Ranta Product Manager - Hardware 5 years ago
What a mess.
0Sign inorRegisterto rate and reply
So what is the tally at the moment. I thought it was around 40m users compromised, but Develop reckons its 100m.

Whichever the case, I hope SONY can execute effective damage limitation and come back well from this. Chances are, they will have to rebuild on the trust/confidence with offering more to retain the userbase. And hopefully recoup losses through folks who are able to trust a mroe relaible system (in theory)
0Sign inorRegisterto rate and reply
Show all comments (20)
John Donnelly Quality Assurance 5 years ago
Chee 77M from PSN + another 24M from SOE or thats what its looking like from the latest news hitting about the shut down of the SOE portal yesterday.

Edited 1 times. Last edit by John Donnelly on 3rd May 2011 10:38am

0Sign inorRegisterto rate and reply
Fran Mulhern , Recruit3D5 years ago
Jeez. Bank account details for direct debit users. Now THAT is a big problem.
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
Although the 77m psn and 24m soe no doubt have some crossover.
0Sign inorRegisterto rate and reply
whats 20 drops in a pond of 70 droplets? :)
i guess its still a heck of a leaking faucet to plug
0Sign inorRegisterto rate and reply
John Donnelly Quality Assurance 5 years ago
True Andrew but even so its still a staggering number of people who have had alot of personal data exposed before we even talk about the credit/debit card info that has also been obtained.

Those behind the compromise now have a large chunk of the data needed to for identity theft.
0Sign inorRegisterto rate and reply
Antony Johnston Writer & Narrative Designer 5 years ago
Notwithstanding Landless' misunderstanding of what "the 80/20 rule" is, his conclusion is probably right. I hadn't considered the timing before, but it does seem rather too coincidental. Yeesh, what a mess.
0Sign inorRegisterto rate and reply
Miguel Melo Principal Software Engineer/Product Manager 5 years ago
They sure aren't running out of fans for the stuff to hit.
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
Now we just need to find they have also lost the details they obtained with the spyware they implanted on enhanced audio cds.
0Sign inorRegisterto rate and reply
Kingman Cheng Illustrator and Animator 5 years ago
Indeed Dr. Wong, sometimes these things are a bit information overkill.
0Sign inorRegisterto rate and reply
Dan Champlin Studying CIS, DeVry University5 years ago
why do i see a Law suit coming up?
0Sign inorRegisterto rate and reply
robert troughton Managing Director, Coconut Lizard5 years ago
In fairness to Sony, the whole way that the banks/governments have allowed payment systems to be setup online is completely wrong - and it was only a matter of time before something like this happened... if a company such as Sony can be hacked into so easily, what if hackers targeted all the smaller companies...? And... how secure are other big companies on the internet..? Paypal/eBay? DHL/FedEx? Sky? Steam? ...

The fact is that there needs to be a wide-reaching shakeup of the whole online transaction system...

Companies simply shouldn't be allowed to store all the card information on their own networks - no matter how encrypted they believe the data to be.

Whoever got the data from Sony could be using some pretty damn powerful machines working to break the encryption key used on that data... the potential win from decrypting it is huge... so if the data is sold to the right people, they won't bat an eyelid about putting some very powerful computers - and equally powerful programmers - to work on breaking into it. Not only that... depending on what Sony's encryption system is, god help anyone whose password is an easy dictionary lookup - or, even worse, in the "top 50 passwords" list...

To protect us all from future attacks like this, the banks - or a group above them - should require transactions to come through them. It's in their interests to ensure that their customers' information is secure and that transactions are genuine - so put it in their hands to ensure that it is.
0Sign inorRegisterto rate and reply
Sam Maxted Journalist / Community / Support 5 years ago
Those people providing false names / addresses for their MMO accounts don't look so dumb, today...
0Sign inorRegisterto rate and reply
Andrew Goodchild Studying development, Train2Game5 years ago
I do wonder why i can register a card on a recreational site and use it ad finitum, but to pay my credit card bills with debit card bills, registered to the same person same adress, I have to go through an extra level of bank security.
0Sign inorRegisterto rate and reply
Shaun Farol Studying Computer Information Systems, California Polytechnic State University5 years ago
I wonder. Is Sony somehow except from PCI Compliance?

If they followed the PCI Guidelines something like this should never have happened.
0Sign inorRegisterto rate and reply
Fran Mulhern , Recruit3D5 years ago
@ Shaun. I can't imagine any guidelines are foolproof.
0Sign inorRegisterto rate and reply
Jason Broad Quality Assurance 5 years ago
An awkward smile crept across my face when I first heard the news. Then I noticed the standard email and realised I had used one of my cards for my sons PSP.
Card and details now changed, just to be safe.
Unfortunately my personal details can not be changed... DoB, address, name, etc...
So card theft and associated fraud is a non issue, but the possibilities of identity theft will be in the shadows for the rest of our life.
0Sign inorRegisterto rate and reply
Frederic Eichinger Web Developer 5 years ago
Regarding the fact that Sony has a rather secure network compared to many others and managed to respond quite fast, it is still somewhat weird to see almost 100 M data sets stolen. But not only that, what does this say about the other networks? Some of those are even less secured than Sony's.
These are the times when people should start reviewing their belief in the internet's "anonymity"...
0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.