Sony Unplugs Third Network; 100 Million Affected
|
Credit: Sony Computer Entertainment America
This story was updated at 10:30 p.m. EDT Monday.
Nearly 25 million more personal accounts than previously thought were affected by last month's massive Sony security breach, the company announced late today (May 2), bringing the total to just over 100 million.
Financial data, including credit and debit card numbers and direct-debit bank account numbers, of about 23,400 users in Europe may also have been stolen.
All the accounts were with Sony Online Entertainment (SOE), a Sony service that hosts massively multiplayer online games (MMOs), such as EverQuest and DC Universe Online, which are mainly played using personal computers.
Sony suddenly shut down the service "temporarily" Monday, initially stating only that, "in the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately."
From bad to worse
Early in the morning Japan time Tuesday (May 3), the company issued a more detailed press release.
"Hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT)," the release read. "Personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. ... [which] includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain."
"There is no evidence that our main credit card database was compromised," Sony Online Entertainment said in a separate posting. "It is in a completely separate and secured environment."
Many European banks give clients the option of allowing third parties to directly debit their accounts in order to pay utility bills and meet other regular expenses.
One of biggest data breaches ever
An estimated 78 million accounts were initially thought to have been exposed by the breach of the PlayStation Network and Qriocity, both of which were shut down April 20. Sony has maintained that the credit and debit card numbers of all users of those two networks had been securely encrypted.
Among all three services, approximately 102 million accounts appear to have been compromised, making last month's intrusion one of the biggest data breaches ever. (The theft of 130 million credit card numbers from Heartland Payment Systems in 2008-2009 is still the largest and most serious.)
As with the PlayStation and Qriocity breaches, the information exposed on each account would have included full name, address, email address, birthdate, gender, telephone number and login username. The passwords were "hashed," partly encrypted via a method that is difficult to crack.
Despite the lack of financial data, such information is still worth something to online criminals, who can use it to carry out identity theft. It can also be used in "spear phishing" schemes, which use personal details to deceive specific individuals who have access to valuable information.
The PlayStation Network is used by millions of gamers using PlayStation 3 and PlayStation Portable game consoles, which are much more specialized and often much more powerful than personal computers.
Qriocity is an entertainment on-demand service accessed from personal computers, PlayStation 3s, Sony Blu-ray players, Sony television sets and the newly announced Sony tablet computers.
The news about the Sony Online Entertainment shutdown on Monday came even as Sony began to recover from the nearly two-week shutdown of the PlayStation Network.
Some sites speculated that there may have been a new intrusion, while others figured that Sony administrators had found the same weaknesses in the Sony Online Entertainment network as in the PlayStation Network, and shut it down as a precaution.
The Sony Online Entertainment and PlayStation Network services are housed in two separate server systems located in San Diego. Qriocity is reportedly housed in servers in Marina del Rey, a coastal suburb of Los Angeles.
Sony on Saturday (April 30) had said that the PlayStation Network would slowly be coming back online this coming week. It was not clear if the Sony Online Entertainment shutdown would affect those plans.
Execs bow heads in shame
On Sunday, three Sony company officials bowed their heads in shame, as is sometimes done in Japan, before reporters at a press conference in Tokyo before addressing the PlayStation Network intrusion.
Executive Deputy President Kazuo Hirai, thought to be the heir apparent to company President Howard Stringer, explained that while about 77 million user accounts had been exposed, the number of individuals would have been less since many run multiple accounts.
He said only about 10 million users had credit cards registered with the service, and that all card numbers had been encrypted.
Chief Information Officer Shinji Hasejima said the company had not been aware of the vulnerability exploited to get into the back end of the PlayStation Network, and that the company was creating the new position of chief information security officer to improve and enhance such aspects."
Because the PlayStation Network and Sony Computer Entertainment, Inc., are both based in California, the executives said Sony had asked the FBI to lead the investigation into the breach.
Chief Information Officer Shinji Hasejima said the company had not been aware of the vulnerability exploited to get into the back end of the PlayStation Network, and that the company was creating the new position of chief information security officer to improve and enhance such aspects."
Because the PlayStation Network and Sony Computer Entertainment, Inc., are both based in California, Sony has asked the FBI to lead the investigation into the breach.
Furthermore, Sony offered to pay for the cost of any user who felt it necessary to change credit cards, even as it maintained those numbers were safe.
"We want to state this again given the increase in speculation about credit card information being used fraudulently," read a posting by Senior Director Patrick Seybold posted on both the North American and European PlayStation Network websites.
"One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list."
Nightmare scenario averted?
One tech blogger feared that the hackers who got into the PlayStation Network could have been after something much more serious than credit card numbers.
"This attacker could potentially have created overnight the largest botnet in the world by a very large margin," software developer Marsh Ray wrote.
"Each PlayStation 3 is something [of] a supercomputer in its own right. Each has 6 to 9 high-performance cores (depending on how low-level the code executes) running at 3.2 GHz, plus an Nvidia GPU," Marsh explained. "In 2008, researchers using 'just' 200 PS3s for a weekend were able to forge a rogue CA certificate of a type trusted by web browsers to authenticate the identity of any webserver."
There is no evidence anything of the sort actually did happen, but Marsh is correct in pointing out that even a few thousand PS3s operating in unison would be incredibly powerful.
- Sony User Database Said to Be Up for Sale in Online Bazaar
- What to Do If You're Affected by the Sony Data Breach
- How to Create and Remember Super-Secure Passwords
