Sony admits breach larger than originally thought, 24.5 million SOE users also affected

Filed Under: Data loss, Featured, Privacy, Vulnerability

Data being stolenSony disclosed today that the breach affecting its PlayStation Network (PSN) that saw 77 million records lost was larger than they originally thought. Not only were the details of PSN users stolen, but another 24.5 million records related to users of Sony Online Entertainment were stolen as well.

Sony Online Entertainment logoSony Online Entertainment (SOE) is the division of Sony responsible for many of their popular online role-playing games like DC Universe Online and Star Wars: Clone Wars Adventures. As in the PSN breach, the lost information included names, addresses (city, state, zip, country), email addresses, gender, birthdates, phone numbers, login names and hashed passwords.

In news perhaps worse than the disclosure from two weeks ago, Sony is saying that 12,700 credit and debit cards and expiration dates of non-US customers and 10,700 direct debit accounts (bank account numbers) for users in Germany, Austria, Netherlands and Spain may also have been stolen.

SOE email

Unlike the credit cards from PSN, which Sony assured the public were encrypted, no mention was made in Sony's press release about the information from SOE being protected.

Sony was quick to note that the passwords had been hashed, but has not disclosed which hashing algorithm was used and whether they used a salt when calculating the hashes.

Sony mentioned that the lost credit/debit card information and direct debit banking information was stored in an "outdated database from 2007."

WHAT??!?! How many locations on your network are housing other "lost" financial data? Do you even know where my information is to check whether it has been stolen?

Whether Sony's bad practices are an act of hubris or simply gross incompetence is hard to discern. Let's hope for the sake of Sony's customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.

It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime, it is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe.

For more information on how to keep your data safe, visit our Data Loss and Regulations site to download free tools, papers and other advice on keeping your data safe.

, , , , , ,

You might like

5 Responses to Sony admits breach larger than originally thought, 24.5 million SOE users also affected

  1. Steve · 1269 days ago

    had the SOE email this morning. But I don't go online?!? I think it must be a demo I played some years back.

  2. wobbly · 1268 days ago

    so sony is a victim? yeah sure. and we all get a month of free gametime. nice. too bad, im not playing any of your games anymore. and thanks for sharing my data, sony.

  3. JWalker · 1268 days ago

    Anyone wanna buy a PlayStation 3. I'm done with it.

  4. Jonah · 1268 days ago

    Yeah, i got the email today, and i already knew about the hack because of you guys over at Sophos.

  5. noone · 1268 days ago

    continued
    When someone 'big' makes the same mistakes as everyone else makes, hackers will take advantage just for the sheer fun of it on a boring day. I bet it took them seconds to get in, if that., and what do we have to sho for it? I don't have the TIME to screw around with changing my credit card number, etc., or wondering if someone changed my email so they could take over my account. Bye-bye game download purchases --- and how much you wanna bet when you run to sony they will tell you 'We will get back to you but the matter is under advisement.'
    Sony simply doesn't give a shit about customer data, plain and simple.
    But then, what the hell do I know?
    Just an overworked, underappreciated computer programmer, system analyst, security, whatever.
    Oh, well...
    Gino

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.