24.6 million SOE accounts potentially compromised

Update

Sony has issued a statement to GamesIndustry.biz explaining that only 900 of the 12,700 non-US credit card details stolen were active cards, with the rest of the details being out of date.

Because the database server which contained the details was not a current one, the vast majority of the details stolen will be invalid for use, Sony believes.

Original story

Sony Online Entertainment, the branch of Sony which operates MMOs such as DC Universe Online and Free Realms, has revealed that a further 24.6 million accounts have potentially been compromised in the same security breach which has seen PlayStation Network taken offline for the past fortnight.

The statement came via an announcement on the official SOE website, revealing that both an active and an outdated database server had been ransacked during the security breaches of 16 and 17 April. All servers related to SOE activities have been shut down immediately.

Whilst the 26.4 million accounts which were compromised were from the current database, the outdated server also included payment details. Included in the potentially missing data from that server are "12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain," reads Sony's statement.

"There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible."

Sony's announcement includes the following statement explaining the extent of the breach.

"The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

• name
• address
• e-mail address
• birthdate
• gender
• phone number
• login name
• hashed password

"In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

• bank account number
• customer name
• account name
• customer address

Currently, Sony's compensation plans consist of refunds and subscription extensions, as well as locally organised incentives to join fraud protection schemes.

"SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a 'make good' plan for its PlayStation 3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

"Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region."

The security breach presents a potentially catastrophic event for Sony, but some experts believe that the problem is a result of "inherited apathy" at the company, lax security standards which became more dangerous and less obvious as the company grew ever larger and more Byzantine.

"Personal details such as names and addresses have long been seen as unimportant assets and as an organisation's services grow, the inherited apathy - or insufficient risk assessment - can prevail," Martin Landless of online security firm LogRhythm told GamesIndustry.biz.

"When this information is combined with dates of birth and credit card numbers, the value and potential to lead to further attacks increases exponentially. Even if the passwords were encrypted, the method used may not have been strong enough to ensure they remained secure."

Just over two weeks before the attacks took place, some 200 staff were made redundant across a number of SOE studios - a fact which starkly highlights another of Landless' observations.

"Bearing in mind the 80/20 rule that 80 percent of attacks are from insiders, who is the most likely person to have been able to conduct or assist with this attack?

"One would imagine there would be multiple external perimeters to compromise, and monitoring should have been conducted on these layers. There may not have been so many detection mechanisms within the network for a trusted administrator."