Sony warned Tuesday that identity theft scams could be imminent after its PlayStation Network and Qriocity services suffered a massive cyber attack last week that compromised more than 70 million login credentials and pieces of personal information used to access user accounts, eliciting consternation among the security solution providers for the company's lack of data protections and slow response.
"For your security, we encourage you to be especially aware of e-mail, telephone and postal mail scams that ask for personal or sensitive information," Sony said in its advisory. Sony maintained that it would not contact customers for credit card numbers or any other sensitive information, while advising them to remain vigilant for identity theft or other financial loss by reviewing account statements and monitoring credit reports.
The stolen information included user names, passwords, online IDs, customer addresses, e-mail addresses, and birth dates, and could possibly include profile data, including purchase history, billing addresses and answers to security questions.
While the electronics giant said that thus far there was no evidence that credit card data was among the stolen information, it added that "we cannot rule out the possibility" if users had provided credit card numbers through the PlayStation Network or Qriocity.
Sony said that it plans to keep the compromised system offline temporarily and gradually restore services after the vulnerabilities are remediated, maintaining that it expected some services to be up and running within a week.
"These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week," said Patrick Seybold, senior director of corporate communications and social media for Sony, in a blog post Tuesday.
Users' personally identifying data were compromised following Sony's disclosure last week that it had been the victim of an " external intrusion" into the network that occurred somewhere between April 17th and 19th.
In response to the external hack, Sony said it immediately turned off PlayStation Network and Qriocity Services while commissioning an outside security firm to investigate the breach while plugging security holes in the network.
However, security solution providers said that they were perplexed at the company's lack of security protections for its customers' data, maintaining that a breach of 70 million compromised records represented a huge failing on Sony's part.
Leo Bletnitsky, CEO of Las Vegas Med IT, based in Las Vegas, Nev., said that Sony lapparently stored copious amounts of customer data in unencrypted files.
"It sounds like if it was encrypted, they wouldn't be worried about it," he said. "That really doesn't make sense to me. There's really no good excuse. They were probably looking at it as consumer data and not really security sensitive. But there's no good legitimate reason that I can think of as to why they did this."
Next: Sony Should Have Encrypted Data, Solution Providers Say