Sony Online Entertainment, a maker of role-play video games, suspended service after discovering a hacker gained access to 23,400 credit card and debit records from non-U.S. customers.
The Sony Corp. division took its network down last night, according to an e-mailed statement today. The San Diego-based producer of multiplayer online games such as “EverQuest” and “DC Universe Online” said engineers and security consultants discovered “personal information from approximately 24.6 million SOE accounts may have been stolen.”
The breach, which has shut down Sony’s PlayStation and Qriocity video- and music-streaming services since April 20, also exposed information from a 2007 database, including about 12,700 non-U.S. credit or debit card numbers and expiration dates. The credit-card information that may have been stolen didn’t include card security codes, or pins, that serve as a second source of authentication, Sony said.
“This is not a second attack,” Taina Rodriguez, a spokeswoman for the Sony Corp. unit, said in an e-mail. “The temporary takedown of SOE services was related to the ongoing investigation of the external intrusion that occurred in April.”
The stolen data may include 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain. The compromised debit account information included customer names, bank account numbers and account names, Sony said.
Sony American depositary receipts rose 49 cents to $28.80 at 4 p.m. in New York Stock Exchange composite trading. The shares have dropped 19 percent this year.
Kazuo Hirai, Sony’s executive deputy president in charge of consumer products and network services, apologized on May 1 for the security breach between April 17 and April 19 that exposed 77 million online customer accounts. Sony faces a legal and regulatory backlash because it took more than a week to warn subscribers.
Sony is trying to restore consumer confidence by moving its data center from the current location in San Diego, appointing a chief information security officer, updating game-console system software and requiring users to change their passwords.
Legal, Technology Costs
“We expect Sony to be able to overcome this issue by implementing stronger security measures, enabling it to win back the trust of its stakeholders,” Ryosuke Katsura, senior analyst for Mizuho Securities Co. in Tokyo, who has an “outperform” rating on Sony shares, said in a research note today.
Legal and technology costs are likely to increase because of the incidents, further hurting Sony’s credit profile, Moody’s Japan K.K. said in a statement today. Sony has an A3 rating at Moody’s with a “stable” outlook. Moody’s will continue to monitor developments regarding the data-security breach, it said in the statement.
A lawsuit filed April 27 in federal court in San Francisco alleges the delay left PlayStation users exposed to losses related to any credit-card data theft. Officials in Connecticut, the U.K. and Ireland began inquiries. The Italian Data Protection Authority said April 28 it will contact Sony to gather more information and Japan’s Ministry of Economy, Trade and Industry is also doing the same.
Sony won’t send representatives to a U.S. House hearing May 4 on data theft, citing the ongoing investigation, Ken Johnson, a spokesman for Representative Mary Bono Mack, a California Republican, said today in an interview.
Sony issued warnings on April 26 saying personal information, such as e-mail addresses, birth dates and login information, was stolen by a hacker. Purchase history and credit card information may have been stolen, the company said.
The company is probing the extent of that data theft and said yesterday that it had no evidence that information on another 10 million credit cards registered to PlayStation Network and Qriocity had been leaked.
Sony was singled out in a statement by a group of hacker-activists known as ‘Anonymous’ after the company sued George Hotz for posting online information about how to install alternative operating systems for the PS 3 game console. The group issued a separate statement denying responsibility for the PlayStation Network disruption, while saying some of its members may be behind it.
Sony has had attacks by hackers in the past few months, Hirai said. Involvement of the so-called ‘Anonymous’ hacker group in the late April incident hasn’t been proven, he said.
Hackers previously also targeted Sony along with companies including Google Inc., Walt Disney Co. and Johnson & Johnson, according to a confidential e-mail discussing the subsequent investigation.
PlayStation Network was introduced in November 2006 when Sony started selling PlayStation 3 game consoles, according to Sosuke Kamei, a Tokyo-based spokesman for the company’s game unit. The online services will remain core to Sony’s strategies and the company won’t delay introduction of networked products such as tablet computers and portable gaming devices, Hirai said.