Second Sony breach hits 25 million users

Sony

Sony has confirmed a hack on its Sony Online Entertainment (SOE) division may have seen personal data of around 24.6 million users stolen.

The revelation of the second hack came after Sony recently apologised for another compromise affecting 77 million Playstation Network (PSN) customers.

SOE, an online gaming network like PSN but for PC gamers, was shut down as soon as the company became aware of the data breach, it said today.

Sony, which came under fire for not being quicker in notifying customers of the PSN breach, said it was "making this disclosure as quickly as possible after the discovery of the theft."

Sony said the SOE hack may have taken place on 16 and 17 April before the PSN attacks.

Financial data was compromised as hackers were able to steal 2,700 credit or debit card numbers and 10,700 direct debit records of non-US SOE customers from "an outdated database from 2007."

Other data at risk included names, addresses, telephone numbers, email addresses, gender, date of birth, login ID and hashed passwords.

Unlike with the PSN hack, Sony did not confirm credit card numbers of SOE customers were encrypted.

The total number of Sony customers affected now surpasses 100 million, which F-Secure chief research officer Mikko Hypponen said "must be some sort of a record."

"This is pretty big. For example, we have scores of employees at F-Secure who are affected," Hypponen said in a blog post.

Sophos senior security advisor Chester Wisniewski was shocked the data was taken from an outdated database.

"It is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe," Wisniewski said on a blog.

"It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime."

This week should see the return of PSN, as Sony announced it will begin a phased restoration by region.

Sony said it has also worked with external firms to introduce "significant security measures," whilst confirming it will create a chief information security officer position at the company.

On top of improved data protection and encrytption, Sony said it had added automated software monitoring and configuration management to help defend against new attacks.

Extra services for customers concerned about security were also launched.

"We have learned lessons along the way about the valued relationship with our consumers," said Kazuo Hirai, executive deputy president at Sony.

"We will be launching a customer appreciation programme for registered consumers as a way of expressing our gratitude for their loyalty during this network downtime, as we work even harder to restore and regain their trust in us and our services."

The Playstation creator said it was collaborating with the FBI to investigate the breaches as it works to restore all affected services.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.