Sony has revealed the extent of the attack that has seen its online service PlayStation Network (PSN) offline for almost a week, announcing that its entire userbase’s personal information, including login details, home address and possibly credit card details, have been taken by “an unauthorised person”.
The firm took PSN offline late last Wednesday after noticing an “external intrusion” but until last night had remained tight-lipped on the extent to which its security had been compromised. In an announcement posted on the US PlayStation Blog, senior director of corporate communications and social media Patrick Seybold admitted that Sony first noticed the intrusion on April 17.
Seybold wrote: “Although we are still investigating the details of this incident, we believe that an unauthorised person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
“While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
Sony advises concerned customers to be “especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information,” suggests users change their PSN passwords when the service is eventually restored and closely monitor account statements and credit reports.
The news was met with overwhelming criticism online, with users expressing their frustration at Sony having taken almost ten days to notify them that their personal details may have been compromised. In a post on the European PlayStation Blog, SCEE head of communications Nick Caplin sought to clarify the situation, saying: “There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised.
“We learned there was an intrusion [on] April 19 and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.
“It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening.”
In the meantime Sony has posted a detailed FAQ to allay costumer concerns and is to email a copy of the announcement to all affected users. With well over 60 million registered PSN accounts, however, that may take some time.