Massive data theft: 77 million users exposed in Sony's PlayStation security breach

Tokyo and New York — Reuters

An advertisement for Sony Corp.'s PlayStation 3 game console is seen on the floor of an electronic store in Tokyo. (Yuriko Nakao/Reuters)

Sony Corp. suffered a massive breach in its video game online network that allowed the theft of names, addresses and possibly credit card data belonging to 77 million user accounts, in one of the largest Internet security break-ins ever.

Sony said it learned of the breach in its popular PlayStation Network on April 19, prompting it to shut down the network immediately. Sony did not tell the public about the stolen data until Tuesday, hours after it launched its new tablet computers in Japan.

Story continues below ad

An "illegal and unauthorized person" obtained names, addresses, e-mail addresses, birth dates, usernames, passwords, logins, security questions and more, Sony said on its U.S. PlayStation blog on Tuesday.

A Sony spokesman said it took "several days of forensic investigation" after learning of the breach before the company knew consumers' data had been compromised.

Children with accounts established by their parents also might have had their data exposed, Sony said.

Sony said it saw no evidence credit card numbers were stolen, but warned users it could not rule out the possibility.

"Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," Sony said.

The news sparked fury among users.

"If you have compromised my credit information, you will never receive it again," read one message on the PlayStation Network blog from a user under the name Korbei83.

"The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you."

The shutdown of the PlayStation Network prevented owners of Sony's video game console from buying and downloading games, as well as playing with rivals over the Internet.

Sony said it could restore some of the network's services within a week.

Alan Paller, research director of the SANS Institute, said the breach may be the largest theft of identity data information on record.

The online network was launched in the autumn of 2006 and offers games, music and movies to people with PlayStation consoles. It had 77 million registered users as of March 20, a Sony spokesman said, almost 90 per cent of them in Europe or the United States.

Analysts said that while Sony has notified customers of the breach, it had still not provided information on how user data might have been compromised.

"This is a huge data breach," said Wedbush Securities analyst Michael Pachter, who estimated Sony generates $500-million in annual revenue from the service. "The bigger issue with Sony is how will the hacker use the info that has been illegally obtained?"

Sony said it had hired an "outside recognized security firm" to investigate.

The company said user account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.

Hackers have stolen personal data in the past from large companies. In 2009, Albert Gonzalez pleaded guilty to stealing tens of millions of payment card numbers by breaking into corporate computer systems at companies such as 7-Eleven Inc. and Target Co.

Sony said its users could place fraud alerts on their credit card accounts through three U.S. credit card bureaus, which it recommended in its statement.

The company declined to comment on whether it was working with law enforcement or other parties in its investigation.

Sony has reported the breach to Federal Bureau of Investigations, the New York Times reported on its website. Democrat senator Richard Blumenthal also sent a letter to the Japanese firm asking it to explain why it didn't notify PlayStation owners sooner.

The breach is a major setback for the Japanese electronics maker. Although video game hardware and software sales have declined globally, the PlayStation franchise is a substantial profit source and remains a flagship product for Sony.

Sony intends to use PlayStation games to lure consumers to buy its first tablet computers. The company will start selling the tablets later this year to compete against Apple Inc.'s iPad and aims to overtake Samsung Electronics to become No. 2 in the burgeoning market. The company also plans to launch a new hand-held games device, the Next Generation Portable, by the end of the year.

Follow us on Twitter: @GlobeTechnology