Sony disclosed today that the breach affecting its PlayStation Network (PSN) that saw 77 million records lost was larger than they originally thought. Not only were the details of PSN users stolen, but another 24.5 million records related to users of Sony Online Entertainment were stolen as well.
Sony Online Entertainment (SOE) is the division of Sony responsible for many of their popular online role-playing games like DC Universe Online and Star Wars: Clone Wars Adventures. As in the PSN breach, the lost information included names, addresses (city, state, zip, country), email addresses, gender, birthdates, phone numbers, login names and hashed passwords.
In news perhaps worse than the disclosure from two weeks ago, Sony is saying that 12,700 credit and debit cards and expiration dates of non-US customers and 10,700 direct debit accounts (bank account numbers) for users in Germany, Austria, Netherlands and Spain may also have been stolen.
Unlike the credit cards from PSN, which Sony assured the public were encrypted, no mention was made in Sony’s press release about the information from SOE being protected.
Sony was quick to note that the passwords had been hashed, but has not disclosed which hashing algorithm was used and whether they used a salt when calculating the hashes.
Sony mentioned that the lost credit/debit card information and direct debit banking information was stored in an “outdated database from 2007.”
WHAT??!?! How many locations on your network are housing other “lost” financial data? Do you even know where my information is to check whether it has been stolen?
Whether Sony’s bad practices are an act of hubris or simply gross incompetence is hard to discern. Let’s hope for the sake of Sony’s customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.
It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime, it is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe.
For more information on how to keep your data safe, visit our Data Loss and Regulations site to download free tools, papers and other advice on keeping your data safe.
5 comments on “Sony admits breach larger than originally thought, 24.5 million SOE users also affected”
had the SOE email this morning. But I don't go online?!? I think it must be a demo I played some years back.
so sony is a victim? yeah sure. and we all get a month of free gametime. nice. too bad, im not playing any of your games anymore. and thanks for sharing my data, sony.
Anyone wanna buy a PlayStation 3. I'm done with it.
Yeah, i got the email today, and i already knew about the hack because of you guys over at Sophos.
When someone 'big' makes the same mistakes as everyone else makes, hackers will take advantage just for the sheer fun of it on a boring day. I bet it took them seconds to get in, if that., and what do we have to sho for it? I don't have the TIME to screw around with changing my credit card number, etc., or wondering if someone changed my email so they could take over my account. Bye-bye game download purchases — and how much you wanna bet when you run to sony they will tell you 'We will get back to you but the matter is under advisement.'
Sony simply doesn't give a shit about customer data, plain and simple.
But then, what the hell do I know?
Just an overworked, underappreciated computer programmer, system analyst, security, whatever.