Sony was today facing a backlash from users of its online video game network after it emerged that the details of 77 million user accounts may have been stolen.
The electronics firm uncovered a breach in its PlayStation Network (PSN) on April 19th, resulting in a temporary shutdown of the service that has left users unable to download games or play online over the network.
Sony’s music and video streaming service, Qriocity, was also affected.
Sony said the breach by an "illegal and unauthorised person", which occurred between April 17th and 19th, may have allowed the theft of names, addresses, email addresses, birth dates, user names, passwords, logins, security questions and possibly credit card data.
However, Sony did not inform customers about the stolen data until yesterday. The company said it hired an external security firm to investigate the breach, which took "several days of forensic investigation" before Sony knew consumers' data had been compromised.
Nick Caplin, head of Sony Computer Entertainment’s communications defended its actions on the PlayStation blog.
“It took our experts until [Tuesday] to understand the scope of the breach,” he wrote. “We then shared that information with our consumers and announced it publicly [Tuesday] evening.”
In its statement, Sony said it saw no evidence credit card numbers were stolen, but it could not rule out the possibility that the data had been compromised. It warned customers to be alert for possible identity theft scams using the information obtained from the data breach.
“For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information,” it said. “To protect against possible identity theft or other financial loss, we encourage you to remain vigilant to review your account statements and to monitor your credit reports.”
The delay in announcing the theft has sparked anger from users, almost 90 per cent of whom are based in Europe or the United States.
"If you have compromised my credit information, you will never receive it again," read one message on the PSN blog from a user under the name Korbei83. "The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you."
On PlayStation’s EU-based blog, a user under the name Agriel posted: “What makes Sony look so bad is the silent treatment you have been giving us from day one.”
Managing director of IT security firm Threatscape Dermot Williams said customers were right to be concerned about the incident.
"The fact that Sony has chosen to entirely shut down this high profile and very widely used service – and is 'rebuilding' it before making it available to customers again – indicates that the intrusion, and scale of data theft, could be very significant indeed," he said. "As events have continued to unfold we believe the culprits are likely to be cyber criminals motivated by the prospect of financial gain."
PSN, which was launched in late 2006, allows users of the PlayStation 3 and PlayStation Portable video game consoles to play games online and access digital content such as music and movies. As of March 20th, it had 77 million users, 32 million of which were in Europe. It is not yet known how many Irish users have been affected by the breach, as Sony does not divulge usage figures for individual countries.
The Data Protection Commissioner said the breach was a reminder to consumers to be careful about their data.
“It’s a reminder to people when you provide your details to international operations like Sony, you should make sure where your data is being stored,” a spokesman said. “If it’s going outside this jurisdiction, or worse, outside the EU, you need to make sure you understand which particular standards apply to the storage of data.”
Because Sony’s European headquarters are located in London, Britain’s data protection authorities will discuss the data breach with Sony, he said.
“For Irish users, the important thing is to change passwords as soon as possible, particularly if they use it for other web-based applications such as their email account,” he said.
Additional reporting: Reuters
