Customer Notification May 2, 2011
Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained and we will be notifying each of those customers promptly.
There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
We apologize for the inconvenience caused by the attack and as a result, we have:
1. Temporarily turned off all SOE game services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.
For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:
U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit
www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.
Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the web site of the U.S. Federal Trade Commission at
www.consumer.gov/idtheft or reach the FTC at (877) 382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or
www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or
www.oag.state.md.us.
We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.
We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at (866) 436-6698 should you have any additional questions.
Sincerely,
Sony Online Entertainment LLC
Comments
Assuming Cryptic/Atari is not that careless there shouldn't be a problem.
so its more that sony is at fault here, free almost = low security, good security cost and if something is free then i bet the cost has to be low ... anyways this smells like an "inside job" someone that got fired! or wants to be
Uh, no.
Bungie.net was TRIBBLE, and some people had their Live information entered into said website.
Do people have their Live accounts stolen? Sure, but mostly due to social engineering and the general stupidity of the public. The security of Live itself has never been compromised.
But lets not make it easy shall we.;)
Free does not have anything to do with security level. PSN connection is free, but the PSN is an extremely powerful revenue machine - their DLC sales rival Xbox Live (and remember aside from online play most XBL services are free to access), and it serves as the platform for some premium media services like Hulu.
The issue emerging is that Sony appears to have not altered any security after the network was compromised a while back, and their security was already running under a scheme that had been broken.
As for Microsoft getting TRIBBLE "all the time": Xbox live has never been compromised. Games for Windows Live has only been compromised in so far that its anti cheat measures have been occasionally bypassed. Windows Update has only beeh TRIBBLE in so far that copy protection has been occasionally bypassed (both of these are a client side hack), and the only time since that big denial of service in the 90's that a Microsoft service has actually been compromised by an external intrusion has been an idiot who kept using an unethical domain registrar to snipe hotmail.com in the 1 minute renewal window. The hack on Bungie was an interesting one because what information was made public strongly points to an inside helper which Microsoft and Bungie were deafeningly silent about.
/10char
WE can't prevent this happening to Cryptic. CRYPTIC can prevent this happening to Cryptic.
what i miss.......
Easily ending my sub once the servers are online again....was planning to leave SWG anyway :rolleyes:
Sony said that those 12700 people who they believe had their credit details stolen would be contacted again.
The thing that really bothers me about this the original intrusion was weeks before the PSN shutdown they breached the system on the 16th from the reports and Sony didnt feel that there was any threat worth responding to. Then using the same techniques they assaulted the PSN database.
All the info's there on the net the Congress investigation etc.
Lets hope for Sonys sake as well as the 77million playstation users, of which I'm one, that the situation is resolved soon.
Of course, if C-net is to be believed (or rather, if their source can be believed) the vulnerability is still there in other Sony networks and the same group is planning to take down additional services this weekend. If they do manage that, I'll count that as Sony doing something monumentally stupid.
Yeah and did they close there network down, or keeping it going?
So according to your link, "Expert says Sony knew of PSN security weakness". What a bunch of TRIBBLE. No wonder why nothing ever works in their games, because they never bother to fix anything. I wonder why they're still in business for online games.
examine the statement you just made. Switching to something new isn't fixing it, it's just making something new and hoping you don't run into the same problems.
http://www.digitaltrends.com/computing/sony-offers-u-s-psn-and-qrirocity-users-free-identity-theft-protection-for-one-year/
EDIT: Link to story about moving servers: http://arstechnica.com/gaming/news/2011/04/sony-kept-some-psn-data-encrypted-and-is-physically-moving-hardware.ars
No, I'm fully aware of the facts here. But being that I know about programming and have experience beta testing, presenting something new to the equation doesn't solve the problem. Every time you change the equation, the problem has to be re-evaluated.
I'm telling you that switching to new servers isn't going to do anything.
Your statements are obvious assumptions and doesn't really point out asignificantignicant.
I've been a subscriber of sony online games since the vbeginningning, I know the company very well. I have a long history of watching them patch stuff and switch to new servers after repeated requests to fix things.
Stuff like this is the reason why I won't play any online games from Sony anymore.
And what idiot would use their ID Theft services, if they can't even mange their customer information responsibly in the first place.
Seriously.
Not to mention this isn't the first time the Sony issue has been talked about on the forums.
It was all over Recon Armor. I think in the end ultimately one person lost their account to someone wanting the profoundly ugly gear.
You want to see a company that gets nailed a lot, try Comcast. They try so hard to hide it, but it's weekly with them.
Hillarious. LOL
It's not Sony's service, it's third party... though as of Friday Sony was not going to be providing ID theft insurance, only credit monitoring and protection. Anyone who actually loses money will not be reimbursed. Most of these services range from things you can do yourself to nothing at all unless you pony up extra for the insurance.
Also, Sony's shiny new servers were breached already. Only thing there was some old archive of 2001 sweepstakes entries, a few thousand addresses that were probably in the 77 million from last month anyway, but the important thing is: this is Sony's "new" servers. Sony was warned last week that it's hardened servers were worthless, the vulnerability is in their old security scheme that was broken years ago and hasn't been supported by the developer in almost a decade, and which they planned to keep using.
Now they're out a lot of money and will hopefully be going back to square one with a solution that would have saved them most of what they've paid to date. Their blog is talking like another week of downtime, but they've stepped up the offer: It's now 2 PS3 games and 2 PSP games of the user's choice, not Sony's (though Sony gets to shortlist the four games you can pick from).