Sony has warned that the names, addresses and other personal data belonging to around 77-million people with accounts on its PlayStation Network (PSN) have been stolen.
Gamers have been locked out of the network for a week, but the company has revealed that the system has been suspended since it was hacked last Wednesday.
Sony said it discovered that between 17 and 19 April an “illegal and unauthorised person” gained access to people’s names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more.
Children with accounts established by their parents also may have had their data exposed, according to Sony, which put the warning on its United States PlayStation blog — although the warning about the compromise might not be immediately visible to passing readers. The company is also emailing people who might be affected.
The intrusion is potentially one of the biggest ever into a store of credit cards. Sony’s PSN is one of the world’s biggest holders of credit cards, though not as large as Amazon, eBay, PayPal or Apple’s iTunes, which each hold more than 100-million accounts.
The previous largest hacking attacks were on Heartland Payment Systems in January 2009, when up to 100-million US credit and debit card details were stolen, and TK Maxx in March 2007, when up to 46-million credit card details were stolen.
The company said that it saw no evidence that credit card numbers were stolen, but it added: “Out of an abundance of caution, we are advising you that your credit card number [excluding security code] and expiration date may have been obtained.”
Out of action
The online marketplace allows users to purchase and play video games on their PlayStation consoles. It launched in autumn 2006 and offers games, music and movies to people with PlayStation consoles.
The hack attack has put it out of action and it says that it may be up to a week before it is operational again.
Sony said it had hired an outside security firm to investigate what happened and has taken steps to rebuild its system to provide greater protection for personal information.
PlayStation members are required to submit credit card and personal details to play online games and download software, films and music.
Warning users of the network to be on the look out for telephone and email scams, Sony said: “To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit or similar types of reports.”
PlayStation Network posted an apology to users through the Sony website saying it would email those who are suspected to be victims of the hacking.
It said: “We don’t have an exact date to share at this moment as to when we will have the services turned on, but are working day and night to ensure it is as quickly as possible.
“Please note that we are as upset as you are regarding this attack and are going to proceed aggressively to track down those that are responsible.”
Graham Cluley, senior technology consultant at security firm Sophos, told the BBC that the theft of so much detailed customer information would be seen as a “public relations disaster”.
“This is a big one,” he said. — guardian.co.uk