Sony Corp., maker of the PlayStation 3 video-game console, may have exposed customers to years of potential identity theft after hackers breached the company’s online entertainment networks in mid-April.
The risk will stay with as many as 100 million customers of Sony’s PlayStation Network, Sony Online Entertainment and Qriocity film and music service for years, even as the chance of credit-card fraud recedes, said Steve Ward, a spokesman for Fairfax, Virginia-based online-security company Invincea.
“The attackers may have your name, your birth date, potentially your mother’s maiden name,” Ward said in an interview. “These are all the things used to check your identity, and that can be used to falsify it.”
The value of stolen credit-card numbers diminishes each day after a data breach becomes known because users and bank-card issuers typically step up monitoring. Sony, which was attacked between April 16 and April 19, said it had encrypted customers’ credit-card numbers with security that would make codes difficult to read by hackers who penetrated the system.
“There is no evidence that our main credit card database was compromised,” Sony said in a statement to its users. “It is in a completely separate and secured environment.”
The best sign that Sony’s assertion is true may be the passage of two weeks without reports from credit-card issuers of wide-scale fraud, according to an FBI cyber-crime investigator who asked not to be named because he wasn’t authorized to speak to the press.
As more days go by, it’s less likely card numbers were stolen or, if they were, that potential losses will be large, the person said.
The FBI’s San Diego office is investigating the matter, said agent Darrell Foxworth, a spokesman for the office.
Third Service Attacked
Tokyo-based Sony said yesterday that the attack on its PlayStation Network and Qriocity online music and film service in mid-April also gave hackers access to data from Sony Online Entertainment, a separate unit that makes role-playing games. Hackers gained access to 23,400 credit card and debit records from non-U.S. customers and the personal account information of 24.6 million account holders.
The disclosure that a third service was compromised came a day after top Sony executives offered a public apology and said they had no evidence a separate 10 million credit card numbers registered to PlayStation Network and Qriocity had been stolen in the attacks.
“We have to regain the trust and confidence of our users,” Kazuo Hirai, Sony’s executive deputy president in charge of consumer products and network services, said May 1 at a Tokyo press conference.
Hackers exploited a known security vulnerability to gain access to 77 million PlayStation Network and Qriocity user names, addresses, gender, birth dates and other information, Sony said. It wasn’t clear from the statement how many of the 24.6 million accounts in the newly reported breach share duplicate user information.
The financial impact Sony faces depends on how well the company convinces customers it “will make things right,” Michael Pachter, an analyst with Wedbush Securities in Los Angeles, said in an interview with Bloomberg Television. He estimates credit-card fraud, repairs to its networks and marketing costs will amount to $50 million.
“There will be a hit if in fact they see their business dip,” Pachter said. “I’d say $50 million, not $24 billion, and I think Sony can handle $50 million.”
The breach of Sony Online Entertainment exposed information from an outdated 2007 database, including about 12,700 non-U.S. credit or debit card numbers and expiration dates, Sony said yesterday in a statement. The credit-card information didn’t include security codes, the company said. The three- and four- digit codes are used as a second source of authentication for many online vendors.