Sony Corp. (6758) was subpoenaed by New York Attorney General Eric Schneiderman over data breaches of its PlayStation Network and Sony Online unit, and representations made to customers, a person familiar with the probe said.
The subpoenas follow the company’s statement that it was attacked by computer hackers between April 16 and April 19. Tokyo-based Sony said May 2 that the attack on its PlayStation Network and Qriocity online music and film service in mid-April also gave hackers access to data from Sony Online Entertainment, a separate unit that makes role-playing games.
Hackers gained access to 23,400 credit card and debit records from non-U.S. customers and the personal account information of 24.6 million account holders through the SOE network alone. The thieves had access to user names, birth dates, addresses and passwords of at least 77 million customers in all, Sony said.
The Tokyo-based company apologized for the breach and said it is cooperating with authorities, including the FBI. The company has faced a legal and regulatory backlash over delays in the time it took lawmakers to warn its customers. Sony alerted customers of a breach on April 26, six days after shutting down the PlayStation Network and Qriocity service.
Schneiderman is seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry, said the person familiar with the matter, who wasn’t authorized to speak publicly.
Sony was concerned “that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence,” the company said in a letter today in response to questions about the breach from the U.S. House subcommittee on commerce and trade.
Patrick Seybold, a spokesman for Sony, said in an e-mailed statement that “we will review and respond to this request and will continue to work with law enforcement authorities as they investigate the criminal attack on our networks.”
Lauren Passalacqua, a spokeswoman for Schneiderman, declined to comment today on the subpoenas.
Hackers exploited a known security vulnerability to gain access to 77 million PlayStation Network and Qriocity user names, addresses, gender, birth dates and other information, Sony has said. It wasn’t clear how many of the 24.6 million accounts in the newly reported breach share duplicate user information.
The FBI’s San Diego office is investigating the matter, said agent Darrell Foxworth, a spokesman for the office.
Sony said in its letter today that while looking into the Sony Online Entertainment breach, it discovered that intruders had “planted a file on one of those servers named ‘Anonymous’ with the words ‘We are Legion.’” The company noted that weeks before several Sony divisions had been the “target of a large- scale, coordinated denial of service attack” by Anonymous, a hacker-activist group.
Sony was singled out in a statement by ‘Anonymous’ after the company sued George Hotz, a 21-year-old hacker who publicized tools for playing unauthorized games on the PlayStation console. The group issued a separate statement denying responsibility for the PlayStation Network disruption, while saying some of its members may be behind it.
“If anyone from AnonOps did that, they’re not talking about it,” said Barrett Brown, an informal spokesman for Anonymous, referring to the “operations” group that carried out so-called denial of service attacks against Sony company websites in April.
Sony has hired Protiviti Inc., Guidance Software Inc. (GUID) and Data Forte Corp, three cyber security firms, to aid in the breach investigation, according to Seybold. The companies will work with the FBI in tracking potential clues left behind by the hackers and try to discover if the thieves still have access to the gaming network.
In response to the intrusion, Sony also named a new chief information security officer, added software and enhanced encryption to defend against new attacks, implemented new firewalls and expedited its plan to move its system to a new data center with enhanced security.
A lawsuit was filed April 27 in federal court in San Francisco alleging the delay in notification left PlayStation users exposed to losses related to any credit-card data theft. Officials in the U.K. and Ireland began inquiries. And the Toronto law firm McPhadden Samac Tuovi LLP sent out a statement yesterday saying it had commenced a proposed class action against Sony seeking damages in excess of $1 billion.
The breach of Sony Online Entertainment exposed information from an outdated 2007 database, including about 12,700 non-U.S. credit or debit card numbers and expiration dates, Sony has said. The credit-card information didn’t include security codes, the company said. The three- and four-digit codes are used as a second source of authentication for many online vendors.
The stolen data may include 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain. The compromised debit account information included customer names, bank account numbers and account names, Sony has said.
Sony also suggested customer passwords may have been less vulnerable than originally thought.
Passwords were protected by a level of security called hash algorithm in which the word users type in is converted on Sony’s servers to a string of characters entirely unrelated to the original password, Seybold has said on the company’s official blog.
Sony units Computer Entertainment America LLC, Sony Network Entertainment and Sony Online Entertainment LLC were all subpoenaed by the New York Attorney General over the breaches and what the company told customers about them, the person familiar with the matter said.
To contact the editor responsible for this story: Michael Hytha at firstname.lastname@example.org.