Reports are trickling out from Sony PlayStation Network users about recent fraudulent charges on the credit cards they used for the PlayStation service. But it can't be substantiated at this time whether the fraud is a result of the data breach at Sony, and the timing of the reports could be coincidental.
Sony warned yesterday that customer names, e-mail addresses, birthdays, passwords, usernames, and possibly credit card account information was obtained by an "unauthorized person" between April 17 and 19. As many as 75 million customer accounts are affected.
The company has not said how the breach happened and says there is "no evidence" that credit card information was compromised, but it advised customers to monitor their credit cards for erroneous charges anyway. The situation has prompted a lawsuit, and also a letter from Connecticut Senator Richard Blumenthal to Sony saying he was troubled the company took a week to notify customers of the breach and urging Sony to provide free credit protection services to prevent identity fraud and theft.
Here's what people have reported:
An employee of GameFly Media tweeted that a colleague's card was used to buy $1,500 worth of goods at a grocery store in Germany.
A reader of gaming site VGN365 said his bank had informed him of a fraudulent $300 debit card withdrawal this weekend. And another person reported on video game forum site Neogaf.com $600 in fraudulent withdrawals.
Ars Technica reports hearing from about two dozen people complaining about fraudulent charges, including one who said $600 was used to pay for a ticket on a German airline and another who said $8,000 from his account was spent at a Japanese store.
Credit card companies are calling customers when they notice suspicious activity and are sending them new cards, they said. And someone reported on Neogaf.com that a spare Gmail account that was associated with a PSN account and used the same password was compromised.
PSN users should carefully monitor their credit card and bank accounts associated with the service for any strange activity and inquire about free fraud protection services. Individuals can also put a freeze on their accounts, request a copy of their credit report, and get new credit cards.
And let CNET know of any fraud or suspicious activity that might be related to the Sony breach.
Update 5:28 p.m. PT: Sony released an FAQ blog post today that said credit card data was encrypted and separate from the other data, which was not encrypted but was "behind a very sophisticated security system that was breached in a malicious attack."
"While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however, that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
The post also said Sony is working with law enforcement but did not say what agency. A representative for the FBI in San Francisco told CNET that the agency had nothing to report on the matter at this time.