Sony warned Tuesday that identity theft scams could be imminent after its PlayStation Network and Qriocity services suffered a massive cyber attack last week that compromised more than 70 million login credentials and pieces of personal information used to access user accounts, eliciting consternation among the security solution providers for the company's lack of data protections and slow response.
"For your security, we encourage you to be especially aware of e-mail, telephone and postal mail scams that ask for personal or sensitive information," Sony said in its advisory. Sony maintained that it would not contact customers for credit card numbers or any other sensitive information, while advising them to remain vigilant for identity theft or other financial loss by reviewing account statements and monitoring credit reports.
The stolen information included user names, passwords, online IDs, customer addresses, e-mail addresses, and birth dates, and could possibly include profile data, including purchase history, billing addresses and answers to security questions.
While the electronics giant said that thus far there was no evidence that credit card data was among the stolen information, it added that "we cannot rule out the possibility" if users had provided credit card numbers through the PlayStation Network or Qriocity.
Sony said that it plans to keep the compromised system offline temporarily and gradually restore services after the vulnerabilities are remediated, maintaining that it expected some services to be up and running within a week.
"These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week," said Patrick Seybold, senior director of corporate communications and social media for Sony, in a blog post Tuesday.
Users' personally identifying data were compromised following Sony's disclosure last week that it had been the victim of an " external intrusion" into the network that occurred somewhere between April 17th and 19th.
In response to the external hack, Sony said it immediately turned off PlayStation Network and Qriocity Services while commissioning an outside security firm to investigate the breach while plugging security holes in the network.
However, security solution providers said that they were perplexed at the company's lack of security protections for its customers' data, maintaining that a breach of 70 million compromised records represented a huge failing on Sony's part.
Leo Bletnitsky, CEO of Las Vegas Med IT, based in Las Vegas, Nev., said that Sony lapparently stored copious amounts of customer data in unencrypted files.
"It sounds like if it was encrypted, they wouldn't be worried about it," he said. "That really doesn't make sense to me. There's really no good excuse. They were probably looking at it as consumer data and not really security sensitive. But there's no good legitimate reason that I can think of as to why they did this."
Next: Sony Should Have Encrypted Data, Solution Providers SayBletnitsky said that there was reason to believe that Sony also stored unencrypted credit card data, in light of the fact that the company appeared concerned about the possible breach of credit card numbers.
"That's a PCI violation. That means serious civil fines. This is a public company that does know better. It's not an "Oops, we didn't realize,'" he said.
Meanwhile, security experts also expressed consternation regarding Sony's belated disclosure and response following the breach.
“Sony’s initial delay and vagueness about the nature of their security breach gives hackers the opportunity to exploit that data and potentially mine more of their customers’ information," said Mandeep Khera, chief marketing officer for security company Cenzic, in an e-mail. "While we can understand that Sony had to get forensics done to find out how it happened, there’s no excuse for them to not inform the customers right away."
Bletnitsky said that Sony's due diligence should have included informing customers almost immediately after the breach was detected.
"I understand having a little bit of an investigation, but that usually doesn’t take a week, not for a company like Sony," he said. "This is something that they really should have jumped on faster. Seven days in this day and age is an eternity."