Sony PlayStation Network Breached, 77 Million Users Private Data Stolen
Sony is warning its millions of PlayStation Network users to watch out for identity-theft scams after hackers breached its security and plundered the user names, passwords, addresses, birth dates, and other information used to register accounts. Sony’s stunning admission came six days after the PlayStation Network was taken down following what the company described as an “external intrusion”.
The stolen information may also include payment-card data, purchase history, billing addresses, and security answers used to change passwords, Sony said on Tuesday. The company plans to keep the hacked system offline for the time being, and to restore services gradually. The advisory also applies to users of Sony’s related Qriocity network.
Sony’s advisory means that the company was likely storing passwords, credit card numbers, expiration dates, and other sensitive information unencrypted on its servers. Sony didn’t say if its website complied with data-security standards established by the Payment Card Industry.
Sony had already come under fire for a copyright lawsuit targeting customers who published instructions for unlocking the game console so it could run games and applications not officially sanctioned by the company. The criticism only grew after Sony lawyers sought detailed records belonging to hacker George Hotz, including the IP addresses of everyone who visited his jailbreaking website over a span of 26 months.
Hackers howled with displeasure saying they should have a right to modify the hardware they legally own. Sony recently settled that case, but Hotz, whose hacker moniker is GeoHot, has remained highly critical of the company. Many have also objected to the removal of the so-called OtherOS, which allowed PlayStation 3 consoles to run Linux.
Sony reminded users located in the US that they’re entitled to receive one credit report per year from each of the three major credit bureaus. The company didn’t offer to pay for any sort of credit monitoring service to help ensure the information it lost isn’t used in identity-theft ruses against its users.
“When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password,” advises a letter that Sony is sending to its users.
Of course, that suggestion assumes users continue to trust Sony to safeguard their information and stand behind assurances that the PlayStation Network is secure, and at the moment there’s little evidence to support that assumption.
Credit: The Register
More on CyberInsecure:
Posts
April 27th, 2011 at 9:08 am
Why is Sony telling 77 million gamers to change their password? That wouldn’t be necessary if they didn’t let data get stolen! What is a changed password going to accomplish that wasnt before the data was cracked?
How can I guarantee this crap just doesn’t keep happening? I would certainly sue Sony for they are just plain stupid for not thinking of this worst case scenario and planning for it.
Who the heck lets their network go down for 2 weeks? And you ask why kids are hacking their consoles??
April 27th, 2011 at 10:11 am
Well…isn’t this just PEACHY. With the other stuff they’ve pulled within the last 5 or so years, that the CC data isn’t in compliance with PCI security standards. I’m wondering just how much damage they’re guilty of for this carelessness…
April 27th, 2011 at 10:14 am
Fantastic. This is great. I like watching Sony get what they deserve. I hope this is costing them millions, if were lucky they’ll go bankrupt. Thats what you get when your a mean bully that sues its users and gives no regard to what their users want. Awesome, keep up the good work.
April 27th, 2011 at 11:45 am
Does anyone know anything about sending info regarding scams to Sony? A California number has called numerous times today. I don’t know anyone in California. After doing a reverse look-up of the number and finding a street address, it’s a dumpy looking apartment, so I’m betting it’s a scam. I’d love to be able to report the number and street address. Then a number of 229 area codes have also been calling and I can’t find anything on them either.
April 27th, 2011 at 12:30 pm
“and gives no regard to what their users want”
Less than 1% of the users even care about installing Linux on their PS3.
April 27th, 2011 at 1:22 pm
”Less than 1% of the users even care about installing Linux on their PS3.” -citation needed
If my personal information is now compromised due to inadequate handling of my private information by Sony, i would like to get a life-time identity theft protection or a signature awarding me 2 million USD if my identity is stolen during my life time.
I will be waiting on my 13,000 USD check (14 USD/month * 12 month/year * 80 years/life).
April 27th, 2011 at 1:26 pm
Where did you get your 1% figure from? I bet a lot more that 1% want to be able to do more to their system than just installing Linux. We paid for the hardware, why can’t we use it the way we want? Come back when you have a decent argument.
April 27th, 2011 at 1:36 pm
“Less than 1% of the users even care about installing Linux on their PS3.”
This doesn’t matter. They sold the product with the ability and removed it later. That’s theft, by any definition you want to come by. I won’t make excuses for the CC thieves here, it isn’t right. But the fact that Sony hasn’t been meeting PCI compliance is a big issue. As a developer, I have to deal with PCI compliance daily. It’s costly, but it also makes developers conform to a very good set of security best practices. Sony was cutting corners here, and when GeoHot released what he did, they knew what would happen. It’s my professional opinion that they were either storing this data unencrypted, or using the key stored on each PS3 as the encryption key. Handing out copies of your encryption key is in no way PCI compliant. They should have shut service down when they knew there was a problem rather than waiting until it happened.