Sony admits PlayStation Network user information compromised by hackers [Updated]
Sony Corp. on Tuesday admitted that hackers have obtained personal data and possibly credit card information of tens of millions of people who have registered for PlayStation Network, the company's online game and movie service, as well as its Qriocity digital music service.
Sony said it had 77 million accounts as of March 31 for its PlayStation Network, which links users via the Sony PlayStation 3 console to game downloads and online services such as Netflix Instant Watch video streaming service. Not all accounts are active, and it's possible that one person can have multiple accounts.
In a blog post, company spokesman Patrick Seybold said whoever gained access to personal information last week was able to steal the names, addresses, phone numbers, user names, birth dates, email addresses and passwords of registrants. The company acknowledged that it did not know whether credit card information was also stolen.
"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," Seybold wrote. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
Sony last week shut down its PlayStation Network service, saying the service had been the target of an "intrusion," but did not release details until Tuesday.
The delay in notifying customers drew the ire of U.S. Sen. Richard Blumenthal (D-Conn.), who fired off a letter to Sony, saying he was "troubled by the failure of Sony to immediately notify affected customers of the breach."
Sony said it did not understand the extent of the damage until Monday.
"We learned there was an intrusion April 19th and subsequently shut the services down," Seybold wrote Tuesday in an email response to a question from the Times regarding the timing of events. "We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."
Such a broad breach of consumer information is rare, because most companies take precautions to silo customer information, separating contact information from credit card data, for example, so that only parts of any customer's profile can be accessed from a single attack.
The company said it plans to get parts of the PlayStation Network services back up "within a week."
-- Alex Pham
Photo: A demonstration of the PlayStation Move controller during Sony's press conference at the E3 convention in June 2010. Sony said hackers have obtained personal data and possibly credit card information of tens of millions of people who have registered for PlayStation Network. Credit: Lawrence K. Ho / Los Angeles Times