Sony discloses second breach, refuses to testify

One day after issuing a formal public apology for service outages following massive data breaches, Sony Corp. announced more than 24.6 million additional customer accounts have been compromised.

Sony also said as many as 12,700 foreign credit or debit card numbers and expiration dates and approximately 10,700 direct debit records of customers in Austria, Germany, Netherlands and Spain were stolen from what the company calls "an outdated database from 2007." The 24.6 million additional accounts hacked were Sony Online Entertainment LLC (SOE) accounts. The company has now acknowledged information from more than 100 million of its customer accounts was stolen by hackers last month.

Sony declines to testify

The Green Sheet has confirmed Sony refused a request to testify about its data breach problems before the U.S. House Commerce, Manufacturing and Trade Subcommittee May 4. The company told the subcommittee it would not testify because of its ongoing investigations, a spokesman for the subcommittee Chair, Rep. Mary Bono-Mack, R-Calif., confirmed. The subcommittee request to testify was issued before Sony's second discovery of more compromised data.

"As we understand from Sony's statements, all facts regarding the breach are not yet known, and an internal investigation continues," Rep. Bono-Mack and Ranking Minority Member Rep. G.K. Butterfield, D-N.C., wrote to Sony in their April 29 invitation to testify. "Sony's public statements suggest there is no evidence credit card data was taken, but such a scenario cannot be ruled out. Given the amount and nature of the personal information known to have been taken, the potential harm that could be caused if credit card information was also taken would be quite significant."

The committee requested Sony answer the following 13 questions:

• When did you become aware of the illegal and unauthorized intrusion?
• How did you become aware of the breach?
• When did you notify the appropriate authorities of the breach?
• Was the information obtained applicable to all accounts or to a portion of the accounts? How many consumers or accounts were impacted by this breach, and how did you ascertain the number?
• Why did you wait to notify your customers of the breach?
• Have you identified how the breach occurred?
• Have you identified the individual(s) responsible for the breach?
• What information was obtained by the unauthorized individual(s) as a result of this breach, and how did you ascertain this information?
• How many PlayStation Network accountholders provided credit card information to Sony Computer Entertainment?
• Your statement indicated you have no evidence at this time that credit card information was obtained, yet you cannot rule out this possibility. Please explain why you do not believe credit card information was obtained and why you cannot determine if the data was in fact taken?
• What steps have you taken or do you plan to take to prevent such future breaches?
• Do you currently have a policy that addresses data security and retention practices? If not, why not? If so, what are those practices, and do you plan any changes in your policies as a result of this breach?
• What steps have you taken or do you plan to take to mitigate the effects of this breach? Do you plan to offer any credit monitoring or other services to consumers who suffer actual harm as a result of this breach?

Cort Bush, a press contact in Rep. Bono-Mack's office, confirmed the congresswoman originally gave Sony until May 6 to respond to these questions. Sony agreed to her request to push the response deadline to the morning of May 4, before the scheduled hearing. Sony agreed to provide the answers early after the company declined to testify at the hearing. Bush said Bono-Mack's office will release Sony's answers after the company responses have been reviewed.

The newly discovered hack

The newly discovered SOE network hack apparently occurred at the same time as the earlier discovered data breach of 77 million PlayStation Network and Qriocity customer accounts. The break-in occurred April 16 and 17, 2011, but the SOE hack was not discovered by Sony engineers and security consultants until May 2, SOE said in a press release. The company immediately shut down all SOE servers on discovering the breach, it said. This means SOE, PSN, and Qriocity, the backbone of the Sony gaming and entertainment business, is shutdown for an unknown amount of time while the company reviews and rebuilds its security network.

Among the kinds of personal information taken during the data breach were names, addresses, email addresses, birthdates, gender, phone numbers, login names and passwords, the company said. Sony still claims it does not know if credit card information was stolen despite persistent reports that card information taken from Sony, along with card security numbers, are for sale on underground websites.

"There is no evidence that our main credit card database was compromised," SOE noted on its website May 3. "It is in a completely separate and secured environment."

The company also indicated the apparent breach of the "outdated" 2007 database netted the thieves debit card records from customers in Austria, Germany, Netherlands and Spain, along with bank account numbers, customer names, account names and customer addresses.

Sony is adding 30-days' free game time to every subscription and compensating gamers one day for each day the system is down. The company is additionally working on a "make good" plan for its PlayStation 3 Massively Multiplayer Online customers. It has also promised to help customers enroll in identity theft protection services.

The company urges its customers not to respond to emails, phone calls or mail that asks for personal information even if the message appears to be from Sony. The company promises customers it will not send out any notices asking for personal information or credit card numbers. The company is further recommending changing account names and passwords on other, unrelated personal accounts.

"To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports," the company said. The company is not saying when it will have gamers back online. It will only say that online services will be restored "as soon as possible."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.