Sony warned that personally identifiable information for an additional 25 million customers was exposed after discovering a massive security breach extended to its online computer games service.
The intrusion on Sony Online Entertainment systems exposed data for 24.6 million users, including their name, address, email address, birthdate, phone number, and login name. Those behind the attack likely also made off with passwords that were hashed, although Sony didn't address critical details, including what hashing algorithm was used and whether random values known as salt were used to prevent crooks from converting hashes into cleartext.
Sony also warned that that the SOE attackers may also have stolen an “outdated database” that stored data for some 12,700 payment cards belonging to customers located in Europe. The majority of SOE card information was stored in a “main credit card database” that was “in a completely separate and secured environment” that Sony analysts don't believe was accessed.
The warning came a day after Sony closed the SOE's Station.com website, because investigators “discovered an issue that warrants enough concern for us to take the service down effective immediately.”
Combined with a previously reported hack on the company's PlayStation Network, in which sensitive data for 78 million users is believed to have been stolen, the new disclosure means Sony has exposed personally identifiable information for 102.6 million user accounts. Sony has said that the passwords in the previously disclosed attack were also hashed, but so far hasn't supplied the same crucial details.
For the first time, Sony hinted that it would compensate users for the cost of enrolling in programs designed to prevent identity theft. “The implementation will be at a local level and further details will be made available shortly in each region,” Tuesday's press release from Sony said.
The company also said SOE users will get 30 free days of additional time on their subscriptions and compensation of one day for each day the system is down. Sony hasn't said when it expects to restore SOE service. It has said that PSN and Qriocity services will be progressively restarted over the coming week.
The intrusion on SOE happened on April 16 and 17, around the same time as the attack on the PSN, from April 17 to April 19. Sony closed the PSN on April 20, but didn't disclose the extent of the breach until six days later. Security experts have already said that the amount of information believed to have been stolen in the PSN hack, and the number of users affected, means the attackers had sustained access to the core parts of Sony's network.
The revelation, two weeks after the attack was discovered, that SOE was also penetrated further supports assessments that this breach was extraordinarily deep. No wonder Sony is looking for a senior application security analyst to join its team. ®