Sony Data Breach Tally Rises to 101 Million Users

The data breach disclosures from Sony gets progressively grimmer as the company admits that 24.6 million Sony Online Entertainment users have been compromised.

Sony has admitted that the intruders that stole data from the PlayStation Network and Qriocity music and video service also breached its Sony Online Entertainment service.

The personal information of an additional 24.6 million gamers who'd registered on the Sony Online Entertainment service was compromised, Sony disclosed late in the day on May 2. Names, home addresses, email addresses, dates of birth, phone numbers and gender information were stolen.

Sony disclosed on April 27 that thieves had stolen account information of up to 77 million users on the PlayStation Network and Qriocity. That breach affected primarily PlayStation owners. This latest disclosure means that account information of more than 101 million users has been compromised by this network intrusion.

Most SOE users are not PlayStation owners, but play games on Facebook and on the PC. SOE powers multiplayer games including EverQuest II, Star Wars Galaxies, Free Realms and DC Universe as well as Facebook-based Fortune League.

"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company," Sony said in its message to customers. "On May 1, we concluded that SOE account information may have been stolen."

While the company had no actual evidence that credit card information had been stolen, it said it was erring on the side of caution to notify the users of the possibility. That was not the case for SOE, as direct debit details of 10,700 customers in Austria, Spain, the Netherlands and Germany were stolen. Also taken were credit or debit card details of 12,700 non-United States customers from an "outdated database from 2007," according to the company. Sony emphasized the three-digit security codes had not been stored and were not compromised. The card numbers and expiration dates were securely encrypted, according to the company.

"There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment," Sony said in its message.

Sony said SOE was breached between April 16 and 17, the same time PSN and Qriocity was compromised. Sony shut down those services on April 20, but didn't take SOE offline until May 1.

"In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down, effective immediately," Sony said in its maintenance note.

Sony said it is working with the FBI and continuing its own investigation while working to restore all services.

Sony reminded users to be aware of scams that ask for personal or sensitive information and that U.S.-based customers can place a free fraud alert with national credit reporting agencies to protect themselves from credit card fraud. However, Equifax, one of the major credit bureaus, warned users that the alerts were not sufficient protection against identity theft.

"Although fraud alerts have long been recognized as one of the strongest methods of identity protection, they simply aren't enough," says Trey Loughran, president of Equifax Personal Information Solutions, told eWEEK. Existing account information such as credit card numbers are vulnerable even with an active fraud alert in place, Loughran said. It is most useful against new account fraud, but won't prevent identity thieves from using the numbers to rack up charges on existing accounts.

Sony is overhauling SOE's security procedures, much like the current effort to rebuild PSN. While rumors surfaced on underground hacking forums that the thieves were offering the stolen numbers for sale, Sony said the rumors were not true. "There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment," Patrick Seybold, Sony's senior director of corporate communications and social media wrote on the PlayStation blog.

There are "no consequences" for companies that "under-invest" in security, Phil Lieberman, CEO of Lieberman Software, told eWEEK. As such, users should "always assume" that companies asking for personal information are "totally incompetent at securing the data," Lieberman said.

Three senior executives from Sony formally apologized at a press conference on May 1. SOE customers will receive 30 free days added to their subscriptions as well as an additional day for each day the system is down.