Joystiq Contributing Editor Ben Gilbert fired up the communicator with SOE PR Representative Ryan Peters to discuss the issues plaguing the MMO developer. Admittedly, many of the answers given were reiterated from a press release on SOE's website, but he was able to extract a few nuggets of information regarding the depth of the incident, which we've compiled past the break. Rest assured that our team will continue to keep you up to date on the latest information.
Joystiq/Massively: Can you clarify this statement: "This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007"?
SOE: The database that was compromised consisted of 24.6 million account records containing one or more of the following: name, address, email address, birthdate, gender, phone number, login name, and hashed password, to the extent provided. Approximately 8.8 million of these are non-U.S and of these approximately 185,000 were Japanese.
Additionally, an outdated database from 2007 containing approximately 12,791 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,740 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain were obtained. However, there is no evidence that our main credit card database was compromised. It is in a completely separate and secure environment.
Was all the information in the database out of date or was the hardware itself out of date? This is very unclear.
We are currently investigating why the outdated database [was] on the system, as this was just discovered yesterday and therefore we do not have any more specifics.
When does SOE plan to restart services?
We will have more information soon. It will be as soon as we are 100% confident that we can resume a safe and secure service.
Why didn't you bring down services upon first learning of the intrusion?
We did. We initially took down our systems from approximately 3 a.m. April 21st to 3 p.m. April 21st. The initial data did not show that any customer data was stolen from our database. Via our thorough investigation that has continued non–stop since the initial attack, we learned on Sunday, May 1st that the data may have been stolen and immediately took action to bring down our services Sunday night. This was the result of a very sophisticated cyber attack that was extremely difficult to detect, and through our examination we were able to uncover the details of the situation.
If the SOE and PSN servers are separate, how was this part of the original attacks?
While the two systems are distinct and operated separately, given that they are both under the Sony umbrella, there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April.
Will there be additional compensation for current and former subscribers to SOE's MMOs above and beyond what has already been mentioned?
Absolutely. Our intention is to grant customers 30 days of additional time on their subscriptions in addition to compensating them one day for each day our system is down. We are also in the process of outlining the "make good" plan for our PlayStation 3 MMOs (DC Universe Online and Free Realms) and plan on a similar offering, but the complexities of the subscription server dictate how and when this will be available. We will be releasing more information this week. The monthly fees vary by game and are as follows: core MMOs $14.99, Free Realms $4.99 and Clone Wars Adventures is $5.99 per month. The pricing tiers vary depending on the length of the subscription purchased upfront.
Additionally, we are committed to helping our customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar program. The implementation will be at a local level, and further details will be made available shortly in each region.
Some of the questions, including questions about future safeguards and those responsible for the attacks, could not be answered at this time, and no comment was made regarding the delay in telling the customers. Thank you, SOE, for taking the time to answer what you could.