Sony acknowledged today that the personal information of its PlayStation Network customers has been compromised.
The company posted an update on its blog today warning its more than 70 million customers that their personal information, including customer names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and user names, as well as online user handles, was obtained illegally by an "unauthorized person." The data was accessed between April 17 and 19, according to Sony.
With respect to credit card information, which many users have given to Sony in order to purchase or rent content via the service, Sony is less sure of what transpired.
"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," a company spokesman wrote today. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
And as a result, Sony has temporarily turned off PlayStation Network and Qriocity, its subscription music service, contracted with an outside security firm to investigate the intrusion on its network, and started to rebuild its system and security. Sony would not say whether the company had contacted the FBI or any law enforcement about the breach.
It took Sony five days to level with its customers about the consequences of what knocked its service offline. Midway through last week users noticed error messages when trying to sign into the service. While the company initially acknowledged the service was inaccessible on Friday, it offered no explanation of why and said PSN would be back up and running in a "day or two."
Broader impactAdditional services users can't access from a PS3 due to Sony taking PSN offline:
Yesterday Sony acknowledged an "external intrusion" on its network and said it was in the process of rebuilding PSN without hinting that personal data was compromised.
Late Tuesday Sony sent CNET this statement from spokesman Patrick Seybold by way of explanation for the disconnect between when the problem was identified and when they learned personal data of customers was compromised.
"We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach," wrote Seybold.
The company says it is currently in the process of e-mailing all of its customers about the intrusion.
Sen. Richard Blumenthal, a Connecticut Democrat, wrote a letter to Jack Tretton, president and chief executive of Sony Computer Entertainment America, saying he was troubled that the company had not notified customers sooner about the breach. He also called for Sony to provide affected customers with financial data security services, including free access to credit reporting services for two years to protect against identity theft.
"When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised... I am concerned that PlayStation Network users' personal and financial information may have been inappropriately accessed by a third party," Blumenthal wrote in the letter. "Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised."
At potentially 70 million records exposed, the Sony breach could be one of the largest. The DataLossDB.org site lists four larger breaches with the Heartland breach in 2009, which exposed about 130 million records, at the top, followed by the TJ Maxx breach at 94 million records in 2007.
The news comes three weeks after dozens of companies notified their customers that names and e-mail addresses were exposed in a breach at e-mail marketing service provider Epsilon. The companies affected included a who's who of retail brands, including Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade, and Verizon. It's unclear how many individuals were affected by that breach.
What should you do?
Finding out whether credit card account information had been exposed is key to assessing the risks for Sony customers. With that information fraudsters can take over bank and credit card accounts and make purchases.
Without that financial information individuals run the risk of having their Sony PSN accounts hijacked and being targeted with phishing attacks. For instance, customers should be wary of e-mails that purport to come from Sony and which ask for credit card or other sensitive information, said Beth Givens, founder and director of the Privacy Rights Clearinghouse.
People whose information was exposed in the breach should change their Sony account passwords and password security questions when the network is back online, and ignore e-mails asking for sensitive information from anybody, Givens added. In addition, she suggested people affected by the breach monitor for fraudulent activity on their credit card that Sony had on file, just in case the accounts were exposed. (More details on identity fraud and what consumers can do to protect themselves can be found here.)
"One of the things I'm critical of Sony about is (them) not being more forthcoming with details of the breach," Givens said. "It leaves the affected individuals in the dark, with more questions than answers."
Failing to notify customers about the breach for seven days is not uncommon, Givens said, adding that the situation depends on what they knew when. "If they were absolutely certain about the details of the breach and the extent of it six or seven days ago, in my opinion, they should have alerted their customers."
Under California law, the type of information that triggers the notice requirement is an individual's name plus one or more of the following: Social Security number, driver's license or California Identification Card number, financial account numbers, medical information or health insurance information.
So, if credit card numbers were compromised, then Sony would need to notify the affected persons under California and other state laws, according to Givens. But if not, technically it would not be required to provide notice, she said.
"However, 'best practices' these days is to notify no matter which data elements have been affected," she added. "They would suffer a big PR black eye if they were not to disclose and it were discovered and made public some other way."
Even though Sony is a Japanese company, disclosure laws in the United States requiring notification of customers of breaches would be applicable because Sony does business in the states and holds personal information of people living in the U.S., said Francoise Gilbert, managing director of the IT Law Group in Palo Alto, Calif.
In the meantime, Sony says it "has a clear path" to bring PSN and Qriocity back online "within a week." But how many customers will be ready to hand over new credit card information and trust Sony with their passwords and addresses again?
As it is, because the network is down, PSN users can't access the PSN Web site or the service via the PS3 to change their passwords or delete their personal info and credit card.
CNET reader Konfuzed expressed dismay over the timing. "Why in the world would Sony wait six days to tell me I should be concerned about my PII? Their customer service leaves a lot to be desired. I have stopped using brands over much less...Not saying I'm giving up my PS3 though."
"Really? Almost a week before telling me that my CC# may have been compromised???? SONY this is unacceptable!," wrote a reader who goes by elgrislobo.
And the ire from customers angry that it took the company this long to explain the extent of the damage continues to pour out on blog comments.
On Sony's official PSN blog, user Korbei83 wrote, "If you have compromised my credit information, you will never receive it again. The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you. Excuse me while I go change my password...oh wait. I can't."
"It was the almost complete lack of communication from Sony that is so disappointing to me. As a tech guy I am completely stunned at Sony's slow and horrible response to this issue," wrote ricksterd64. "Whatever disaster plan you had you can just go ahead and stamp it with a giant red 'F' and go back to the drawing board and come up with a better disaster plan for the future. One which keeps the users and supporters of their systems including developers a little better notified as to what is going on."
The breach is just the latest in a series of activities related to the PlayStation 3 that Sony has been dealing with. After hacker George Hotz figured out how to jailbreak the popular game console last year so people could run homebrew and pirated applications on the device, Sony took the hacker and others to court. In response, members of the Anonymous hacker group targeted Sony's PS3 sites with a denial-of-service attack three weeks ago. On April 11, Hotz and Sony reached a settlement. The latest incident is believed to be totally unrelated to the Anonymous activity.
This post was updated several times, most recently at 8:48 p.m. PT with comment from Sony about the delay in notifying customers, at 5:35 p.m. PT with Senator letter to Sony and legal comment, 4:28 p.m. PT with background on Sony's PS3-related troubles, and 3:40 p.m. PT with additional context.
CNET's Elinor Mills contributed to this story.