Almost a week after abruptly cutting access to its PlayStation and Qriocity Network, Sony has finally admitted it has suffered a huge data breach that could have compromised the account details of tens of millions of subscribers.
According to a company blog update, between 17 April and 19 April, an intruder hacked into its network and gained access to just about every significant piece of data that subscribers store on the system, including passwords, logins, online IDs and even addresses, birth dates and purchase histories.
More seriously, although Sony is not certain that credit card data has been stolen, “we cannot rule out the possibility,” the blog said. “If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
With identity theft a real possibility, the company has warned subscribers to be on the lookout for post, telephone and email scams, and for cold contacts asking for added personal data such as social security numbers. When the system does return, users will also have to change their logins, although that will seem like a trifling inconvenience for those at risk of compromise, mostly parents of game-playing minors.
The blog doesn’t mention how many users could have been affected but that will almost certainly run to a measurable percentage of the system’s reported 77 million global subscriber base.
It goes without saying that the news is a disaster for Sony and some will criticise the company for taking several days to inform users of the serious nature of the breach. Others might praise the company for having the guts to pull the plug so publically, the only possible course of action when the scale of intrusion was not fully understood.
Without the full scale of what has happened yet revealed, it is difficult to compare the incident to previous major data breaches. Probably the most notorious of these was the TJX attack of 2007, believed to have affected at least 45 million credit cards held in databases by the retailer. It is not clear, however, whether any credit cards have been compromised in the latest incident.