Sony has just announced that the scope of their “external intrusion” is much greater than they had thought.
Of course, the PlayStation Network and Qriocity services have been down since on or about April 19th. Sony has confirmed that its servers were breached and personal information was stolen by an unknown group.
Now, it looks like user information from Sony’s Online Entertainment Division has been compromised as well. From SOE:
This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.
Sony Online Entertainment is a gaming division of Sony that produces huge online multiplayer games, among other things. Some if its most well known games are the MMORPG EverQuest, Star Wars Galaxies and Free Realms.
Sony discovered this during their ongoing investigation of the PSN and Qriocity attacks. Originally, they thought that SOE users accounts had not been touched during the initial hack, but just now concluded that they had in fact been accessed on April 16th and 17th.
Sony says that this is not a new cyber-attack. This is part of the original “external intrusion” that prompted the shutdown of the PSN. A Sony rep told Joystiq :
“While the two systems are distinct and operated separately, given that they are both under the SONY umbrella, there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April.”
The extent of the information stolen for U.S. customers is name, address, email, birthday, password and phone number. For non-U.S. players, it’s a little more dicey. As stated above, credit card info was indeed stolen as well as direct deposit information which Sony details to mean bank account numbers and account names.
Like Sony has stated when addressing the PSN outage, they say there is no evidence that their main credit card database was compromised – so U.S. players have no confirmation whether their financial info has been stolen or not.
Like the PSN after the hack, Sony has taken down its SOE services while they investigate. Yesterday, they announced that the PSN will return many of its services some time this week. Sony will also be offering a “welcome back” rewards program as an apology to its users for the outage.