Sony Corp., reeling from the second-largest online data breach in U.S. history, shut down some Internet services in Canada, Thailand and Indonesia after detecting unauthorized intrusions.
Intruders stole the names and e-mail addresses of about 2,000 customers at Sony Ericsson Mobile Communications AB’s Canadian website, while a site in Thailand may have been modified to help send fraudulent e-mails, spokesman Atsuo Omagari said. The company also suspended a site in Indonesia because of a suspected attack and found Web codes for the Japanese music unit were stolen, he said.
The incidents fuel investor concerns over Sony’s online security after hackers stole data from possibly more than 100 million user accounts last month, crippling its PlayStation Network and costing the company an estimated 14 billion yen ($171 million). The new intrusions indicate Sony is failing to contain the situation, analysts including Nobuo Kurahashi said.
“This is getting very serious,” said Kurahashi, who has a “neutral plus” rating on Sony at Mizuho Financial Group Inc. in Tokyo. “What looked like a game-related attack in the U.S. is spreading to other businesses such as music and to all over the world. It may take significantly longer than expected for Sony to get over this.”
Sony fell 1.5 percent to close at 2,236 yen in Tokyo trading, extending its loss this year to 24 percent, triple the drop by Japan’s benchmark Nikkei 225 Stock Average.
The Canadian site, which isn’t connected to Sony Ericsson’s servers, was disabled after the security breach was detected yesterday, the mobile-phone company said.
Sony said it is investigating signs the Thai site was accessed to conduct so-called “phishing,” a scam where people send legitimate-looking e-mails to steal personal information from victims. Sony’s music affiliate in Indonesia has suspended part of its services since May 21 to check whether content has been altered by an intruder, Omagari said.
“Sony is investigating whether the attacks discovered in the past week are related to each other,” he said. “Sony hasn’t found evidence to link those attacks to last month’s intrusion into the PlayStation Network.”
At Sony Music Entertainment (Japan) Inc., hackers have stolen programming code related to artists’ sites, said Yoshikazu Takahashi, a spokesman at the unit. He declined to elaborate on how the company dealt with the situation or give the number of artists involved in the incident.
Yesterday, Sony said intruders accessed a unit’s website in Greece, compromising private information on about 8,500 customers. Less than a week earlier, online-service unit So-net Entertainment Corp. said a breach led to the misuse of user names and passwords of 128 customers.
The company, which posted its biggest annual net loss in 16 years in the 12 months ended March 31, this week cited costs stemming from the online breach as part of the reason why Sony no longer expects operating profit to increase this fiscal year. Output disruptions caused by Japan’s record earthquake in March will also reduce profit, the company said.
Sony began resuming the PlayStation Network and Qriocity entertainment services in markets outside Asia during the middle of May, more than three weeks after it suspended services. The company is sticking to its plans to fully resume the services by the end of this month, Satoshi Fukuoka, a Tokyo-based spokesman for Sony’s game unit said today. The company is continuing efforts to resume the services in Asia, he said.
Chairman Howard Stringer, who apologized to users this month, said in an interview last week that the PlayStation Network attack was a “hiccup” in its Internet strategy and that “Nobody’s system is 100 percent secure.”
The company hired three security firms to investigate the attack and is working with law enforcement officials after customers and lawmakers said Sony was too slow to inform consumers about the breach.
A lawsuit filed April 27 in federal court in San Francisco alleges the delay left PlayStation users exposed to losses related to credit-card data theft. Officials in Connecticut, the U.K. and Ireland began inquiries. The Italian Data Protection Authority said April 28 it will contact Sony to gather more information. Japan’s government is seeking more information about Sony’s measures to prevent data theft, the Ministry of Economy, Trade and Industry said last week.
Malicious attacks in the U.S. are on the rise. They made up 31 percent of data breaches in 2010, up from 24 percent a year earlier, with each event costing U.S. businesses an average of $7.2 million, according to a March report by the Ponemon Institute. The study found that about 85 percent of all U.S. companies have experienced one or more attacks.
Anonymous, the hacker group that brought down the websites of MasterCard Inc. and other payments processors in December, vowed to retaliate this year after Sony sued 21-year-old George “GeoHot” Hotz for posting information on how to modify the PlayStation game console. Sony settled its case against Hotz on March 31.