Sony has warned users of
its PlayStation Network that their personal information, including
credit card details, may have been stolen.
The company said that the data might have fallen into the
hands of an "unauthorised person" following a hacking attack on its
online service.
Access to the network was suspended last Wednesday, but Sony has only now revealed details of what happened.
Users are being warned to look out for attempted telephone and e-mail scams.
In a statement
posted on the official PlayStation blog,
Nick Caplin, the company's head of communications for Europe, said: "We
have discovered that between April 17 and April 19 2011, certain
PlayStation Network and Qriocity service user account information was
compromised in connection with an illegal and unauthorized intrusion
into our network".
The blog posting lists the personal information that Sony believes has been taken.
- Name
- Address (city, state/province, zip or postal code)
- Country
- E-mail address
- Date of birth
- PlayStation Network/Qriocity passwords and login
- Handle/PSN online ID
Mr Caplin added: "It is also possible that your profile
data, including purchase history and billing address (city, state, zip),
and your PlayStation Network/Qriocity password security answers may
have been obtained.
"For your security, we encourage you to be especially aware
of email, telephone, and postal mail scams that ask for personal or
sensitive information."
Read the full text of Sony's PlayStation hack apology here. Credit cards Sony admitted that credit card information, used to purchase games, films and music, may also have been stolen.
"While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility," Mr Caplin said.
"If you have provided your credit card data through
PlayStation Network or Qriocity, to be on the safe side we are advising
you that your credit card number (excluding security code) and
expiration date may also have been obtained."
Sony has not given any indication of how many PlayStation
Network users may have had their information taken, but the service has
around 77 million members worldwide.
Investigation The UK's information commissioner, Christopher Graham, said that his organisation had already begun investigating the Sony hack.
He told BBC Radio 4's "You and Yours" programme, that it looked like "a very significant breach of data protection law".
The Information Commissioner's Office (ICO) has the power to impose fines of up to £500,
However, Mr Graham stressed that his ability
to take action would ultimately depend on whether data from the
PlayStation Network was stored in the UK - something he was still trying
to establish.
"It if turns out that it is our responsibility here in the UK, we would ask 'were the security measures appropriate'," he added.
'PR Disaster' The theft of so much detailed customer data would be seen as a
"public relations disaster", according to Graham Cluley, senior
technology consultant at security firm Sophos.
"This is a big one," he told BBC News.
"The PlayStation Network is a real consumer product. It is in lots of homes all over the world.
"The impact of this could be much greater than your typical internet hack."
Mr Cluley warned that, even without credit card details, the
information taken was enough to help criminals carry out further attacks
on other services.
"Some people will use the same passwords on other sites. If I
was a hacker right now, I would be taking those e-mail addresses and
trying those passwords," he said.
User anger Some streaming media services available on PlayStation have been affected by the outage
PlayStation users got their first indication that something was
wrong with the service when it became unavailable on Wednesday 20
April.
In the following days, Sony issued three brief statements
asking users to be patient while it investigated an "external
intrusion", or hack.
However, the fact that it took almost seven days for the company to reveal that data had been taken has angered some gamers.
Commenting on the Sony blog, Tacotaskforce wrote: "You waited
a week to tell us our personal information was compromised? That should
have been said last Thursday."
Another user Sid4peeps wrote: "This update is about 6 days
late. I think it is time to move to the other network, no regard for
customers here."
But some PlayStation users appeared to be happy with Sony's
handling of the matter. Ejsponge61 commented: "Wow, this is alot of
info. Thanks, this is very much appreciated by all of us PlayStation
fans."
The Sony PlayStation Network remains unavailable to users. The company has not said when service will be restored.