Sony Online loses 12,700 credit card account numbers, 24.6 million accounts compromised [update 2]

Following up on this morning's news that Sony Online Entertainment servers were offline across the board, SOE announced that it has lost 12,700 customer credit card numbers as the result of an attack, and roughly 24.6 million accounts may have been breached.

The company took SOE servers offline after learning of the attack last evening, and today detailed the unfortunate results: "approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, the Netherlands, and Spain" were lost, apparently from "an outdated database from 2007." Of the 12,700 total, 4,300 are alleged to be from Japan, while the remainder come from the aforementioned four European countries.

Furthermore, Sony ties today's announcement directly to the recent attacks on PlayStation Network and Qriocity, and says SOE customer information was stolen on either April 16 or April 17. Sony has repeatedly stated that its PSN servers and SOE servers are not part of the same network, so it remains unclear just how these two attacks are tied together. Head past the break for the full statement from Sony.

Update, 9:03PM EST: SOE has provided us with the following statement, in which it confirms that its user data was stolen as part of the original intrusion -- not a second attack. "While the two systems are distinct and operated separately, given that they are both under the SONY umbrella, there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April."

Update, 3:45PM EST on 5/3/11: SOE has told GamesIndustry.biz that, of the 12,700 stolen cards, just 900 were still active.

Show full PR text

FOR IMMEDIATE RELEASE


SONY ONLINE ENTERTAINMENT ANNOUNCES
THEFT OF DATA FROM ITS SYSTEMS

Breach Believed to Stem From Initial Criminal Hack of SOE

Tokyo, May 3, 2011 – Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages. The company is working with the FBI and continuing its own full investigation while working to restore all services.

Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:
· name
· address
· e-mail address
· birthdate
· gender
· phone number
· login name
· hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:
· bank account number
· customer name
· account name
· customer address.

SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a "make good" plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

Additionally, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in each region.

Sony Online Entertainment LLC (SOE) has been a recognized worldwide leader in massively multiplayer online games since 1999. Best known for its blockbuster hits and franchises, including EverQuest®, EverQuest® II, Champions of Norrath®, PlanetSide®, Free Realms®, Clone Wars Adventures™, and DC Universe Online™, SOE creates, develops and provides compelling online entertainment for virtually all platforms, including the PlayStation®3 Computer Entertainment System, Personal Computer, mobile and social networks. SOE is building on its proven legacy and pioneering the future of the interactive entertainment space through creative development and inspired gameplay design for audiences of all ages. To learn more, visit www.soe.com.

For more information and update about the SOE services, please visit www.soe.com/securityupdate.


About Sony Corporation
Sony Corporation is a leading manufacturer of audio, video, game, communications, key device and information technology products for the consumer and professional markets. With its music, pictures, computer entertainment and on-line businesses, Sony is uniquely positioned to be the leading electronics and entertainment company in the world. Sony recorded consolidated annual sales of approximately $78 billion for the fiscal year ended March 31, 2010. Sony Global Web Site: http://www.sony.net/

About Sony Computer Entertainment Inc.
Recognized as the global leader and company responsible for the progression of consumer-based computer entertainment, Sony Computer Entertainment Inc. (SCEI) manufactures, distributes and markets the PlayStation® game console, the PlayStation®2 computer entertainment system, the PSP® (PlayStation®Portable) handheld entertainment system and the PlayStation®3 (PS3®) system. PlayStation has revolutionized home entertainment by introducing advanced 3D graphic processing, and PlayStation 2 further enhances the PlayStation legacy as the core of home networked entertainment. PSP is a handheld entertainment system that allows users to enjoy 3D games, with high-quality full-motion video, and high-fidelity stereo audio. PS3 is an advanced computer system, incorporating the state-of-the-art Cell processor with super computer like power. SCEI, along with its subsidiary divisions Sony Computer Entertainment America Inc., Sony Computer Entertainment Europe Ltd., and Sony Computer Entertainment Korea Inc. develops, publishes, markets and distributes software, and manages the third party licensing programs for these platforms in the respective markets worldwide. Headquartered in Tokyo, Japan, SCEI is an independent business unit of the Sony Group.