Sony Online Entertainment data may have been stolen

Following PlayStation Network news, Sony takes down online entertainment service and warns even more customers that their data may have been exposed in the intrusion into their systems two weeks ago.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

May 2, 2011 2:37 p.m. PT

3 min read

This is the message displayed on the Sony Online Entertainment Web site, which was taken offline. — This is the message displayed earlier today on the Sony Online Entertainment Web site, which was taken offline. (Click to enlarge.) Sony

Sony Online Entertainment was taken offline today and the company warned users of the service that their personal data may have been stolen as part of the computer attack that exposed the information of as many as 77 million PlayStation Network accounts two weeks ago.

Earlier today, the SOE site, a multiplayer online game service, said "SOE MAINTENANCE In Progress," followed by a message: "Dear Valued SOE Customers, We have had to take the SOE service down temporarily. In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately. We will provide an update later today Monday). We apologize for any inconvenience and greatly appreciate your patience."

In an updated announcement and press release, the company said this afternoon that during its investigation into the PlayStation Network breach it discovered that attackers may have also obtained 24.6 million Sony Online Entertainment customer names, addresses, e-mail addresses, gender, birth dates, phone numbers, log-in names, and hashed passwords.

"The information was discovered less than 24 hours ago and in response, we took down our services until we could verify their security," Sony said.

In addition, credit and debit card numbers and expiration dates (but not credit card security codes) for about 12,700 non-U.S. customers that were in an "outdated" database from 2007, and about 10,700 direct debit records listing bank account numbers of customers in Germany, Austria, the Netherlands, and Spain may have been stolen, the statement said.

"There is no evidence that our main credit card database was compromised," the company said. "It is in a completely separate and secured environment. We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible."

Also today, Sony said the credit card numbers that were potentially exposed in the PlayStation Network breach between April 17 and April 19 were encrypted but passwords were obscured with a hash algorithm, a shortened version of full-scale encryption.

"While the passwords that were stored were not 'encrypted,' they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted," the company said in a blog post. "But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link."

A Sony spokesman said he did not know exactly how the financial information stored by Sony Online Entertainment was protected, but would try to find out.

Sony warned customers on April 26 that their personal information, including names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and usernames, as well as online user handles, had been obtained illegally by an "unauthorized person." The company has said repeatedly that there is no evidence that credit card information was stolen.

Kazuo Hirai, chairman of Sony Computer Entertainment, held a news conference over the weekend where he apologized for the breach and said the company would provide identity theft protection service and "will consider" helping customers who have to be issued new credit cards. Only 10 million of the accounts had credit cards associated with them, he said. Sony has not provided more details on how the breach occurred. Services, which have kept PlayStation customers from playing games online and other customers from being able to stream movies since April 20, are expected to be restored within the week, Hirai said.

Correction 3:50 p.m. PT: An earlier version of this story incorrectly said credit card information at PlayStation Network was not encrypted. Credit card information at PlayStation Network was encrypted.

Updated 3:50 p.m. PT to include Sony statement saying that as part of the investigation into the PlayStation Network breach it discovered that customer information may also have been stolen from Sony Online Entertainment.