Personal information of up to 70 million Sony PlayStation Network and Music Unlimited customers has been exposed in a breach in which the records were illegally accessed.
Hackers have brought down the PlayStation Network after accessing the details of up to 70 million users (Credit: Sony Computer Entertainment)
Customer names, addresses, email addresses, birthdays, PlayStation Network and Qriocity passwords and user names, as well as online user handles, were obtained illegally by an "unauthorised person", according to Sony. The data was accessed between 17 and 19 April.
With respect to credit card information, which many users have given to Sony in order to purchase or rent content via the service, Sony is less sure of what transpired.
"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," the company said. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
And as a result, Sony has temporarily turned off PlayStation Network and Qriocity, its subscription music service, contracted with an outside security firm to investigate the intrusion on its network, and started to rebuild its system and security. Sony would not say whether the company had contacted the FBI or any law enforcement about the breach.
It took Sony five days to level with its customers about the consequences of what knocked its service offline. Midway through last week, users noticed error messages when trying to sign into the service. While the company initially acknowledged that the service was inaccessible on Friday, it offered no explanation of why, and said that PSN would be back up and running in a "day or two."
Yesterday Sony acknowledged an "external intrusion" on its network and said that it was in the process of rebuilding PSN. It never hinted that personal data was compromised, and it's unclear why it took them so long to do so.
The company says that it is currently in the process of emailing all of its customers about the intrusion.
At 70 million records exposed, the Sony breach could be one of the largest. The DataLossDB.org site lists four breaches larger than that with the Heartland breach in 2009, which exposed about 130 million records, at the top, followed by the TJ Maxx breach at 94 million records in 2007.
The news comes three weeks after dozens of companies notified their customers that names and email addresses were exposed in a breach at email marketing service provider Epsilon. The companies affected included a who's who of retail brands, including Citibank, Chase, Capital One, Walgreens, Target, Best Buy, TiVo, TD Ameritrade and Verizon. It's unclear how many individuals were affected by that breach.
In the meantime, Sony says that it "has a clear path" to bring PSN and Qriocity back online "within a week." But how many customers will be ready to hand over new credit card info and trust Sony with their passwords and addresses again?
As it is, because the network is down, PSN users can't access the PSN website or the service via the PS3 to change their passwords, or delete their personal and credit card info.
On Sony's official PSN blog, user Korbei83 wrote, "If you have compromised my credit information, you will never receive it again. The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you. Excuse me while I go change my password ... oh wait. I can't."
"It was the almost complete lack of communication from Sony that is so disappointing to me. As a tech guy I am completely stunned at Sony's slow and horrible response to this issue," wrote ricksterd64. "What ever disaster plan you had you can just go ahead and stamp it with a giant red 'F' and go back to the drawing board and come up with a better disaster plan for the future. One which keeps the users and supporters of their systems including developers a little better notified as to what is going on."
CNET's Elinor Mills contributed to this story.