Sony has discovered a second major breach of its systems, compromising millions of additional accounts
Sony Online Entertainment (SOE) said on Tuesday it has discovered a second hack of its systems, in addition to the one that shut down the company’s PlayStation Network late last month.
On 26 April Sony said it had discovered that PlayStation Network and Qriocity user account information had been compromised between 17 April and 19 April. The company shut down the services and had been planning to relaunch them this week.
However, on Monday, 2 May, engineers and security consultants investigating the previously announced breach found a second breach, carried out between 16 April and 17 April, Sony said.
The findings indicated that personal information from about 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007, Sony said.
The outdated database contained about 12,700 non-US credit or debit card numbers and expiration dates, but not credit card security codes, and about 10,700 direct debit records from customers in Austria, Germany, the Netherlands and Spain. This data may also have been compromised, Sony said.
“Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks,” Sony said in a statement.
Sony has been criticised for disclosing the previous breach only about a week after it occurred. The company said it was disclosing the new information “as quickly as possible after the discovery of the theft”.
“The company has posted information on its website and will send emails to all consumers whose data may have been stolen,” Sony stated.
The personal information from the roughly 24.6 million compromised SOE accounts included names, addresses, email addresses, birthdates, genders, phone numbers, login names and hashed passwords, Sony said.
In addition to that, the 10,700 direct debit records included bank account numbers, customer names, account names and customer addresses.
Sony said it will grant customers 30 days of additional time on their subscriptions in addition to compensating them one day for each day the system is down. The company is also in the process of outlining a “make good” plan for PlayStation3 games DC Universe Online and Free Realms, and plans to release the information this week.
Sony said it will help users enroll in identity theft protection services.
Yet despite Sony’s claim that credit card data was encrypted, security researchers said last week that hackers are bragging on forum discussions that they have credit card numbers in their possession.
According to the New York Times, the hackers are threatening to sell the information for up to $100,000 (£60,000).