Sony Corp. said Monday that 24.6 million customer accounts from its Sony Online Entertainment [SOE] division may have been compromised by a security breach last month that had already been found to compromise 77 million accounts from its PlayStation Network and Qriocity Services divisions.
The company said hackers may have stolen SOE customer account information taken in the breach on April 16 and April 17. Also, information from an outdated 2007 database may also have been stolen, including about 12,7000 non-U.S. credit or debit cards and about 10,700 debit records of customers in Germany, Spain, Austria and the Netherlands.
The personal information of the SOE accounts that may have been obtained includes names, addresses, e-mail addresses, birthdates, gender, phone numbers, login names, and hashed passwords. Sony said it shut down all servers related to SOE services while it reviews and upgrades its security systems.
“With the current outage of the PlayStation Network and Qriocity services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system,” Sony said Monday in a message on its SOE site. “Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.
“On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages,” Sony continued. “The company is working with the FBI and continuing its own full investigation while working to restore all services. Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.”
Sony’s PlayStation Network and Qriocity services suffered the massive cyber attack that compromised more than 70 million login credentials and pieces of personal information used to access user accounts, prompting criticism from security experts and security solution providers for the company's lack of data protections and slow response.
Responding to the attack hack, Sony said it immediately turned off PlayStation Network and Qriocity Services while commissioning an outside security firm to investigate the breach while plugging security holes in the network.
One security solution provider said Sony apparently lacked adequate security protections for its customers' data. Leo Bletnitsky, CEO of Las Vegas Med IT, based in Las Vegas, Nev., said that Sony apparently stored copious amounts of customer data in unencrypted files.
"It sounds like if it was encrypted, they wouldn't be worried about it," he said. "That really doesn't make sense to me. There's really no good excuse. They were probably looking at it as consumer data and not really security sensitive. But there's no good legitimate reason that I can think of as to why they did this."