SOE – The Drum Beat of Bad News Continues

SOE has a new press release this morning, the meat of which is quoted below, since I expect it will disappear from the Sony site at some future date.  Comments and a couple of links follow.

SONY ONLINE ENTERTAINMENT ANNOUNCES THEFT OF DATA FROM ITS SYSTEMS

Breach Believed to Stem From Initial Criminal Hack of SOE

Tokyo, May 3, 2011 – Sony Corporation and Sony Computer Entertainment announced today that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE, the company) systems revealed yesterday morning (May 2, Tokyo time) that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT).  SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007.  The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.

With the current outage of the PlayStation® Network and Qriocity™ services and the ongoing investigation into the recent attacks, SOE had also undertaken an intensive investigation into its system. Upon discovery of this additional information, the company promptly shut down all servers related to SOE services while continuing to review and upgrade all of its online security systems in the face of these unprecedented cyber-attacks.

On May 1, Sony apologized to its customers for the inconvenience caused by its network services outages.  The company is working with the FBI and continuing its own full investigation while working to restore all services.

Sony is making this disclosure as quickly as possible after the discovery of the theft, and the company has posted information on its website and will send e-mails to all consumers whose data may have been stolen.

The personal information of the approximately 24.6 million SOE accounts that was illegally obtained, to the extent it had been provided to SOE, is as follows:

  • name
  • address
  • e-mail address
  • birthdate
  • gender
  • phone number
  • login name
  • hashed password.

In addition to the information above, the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, include:

  • bank account number
  • customer name
  • account name
  • customer address.

SOE will grant customers 30 days of additional time on their subscriptions, in addition to compensating them one day for each day the system is down. It is also in the process of outlining a “make good” plan for its PlayStation®3 MMOs (DC Universe Online and Free Realms). More information will be released this week.

Well, that upped the ante.  Yesterday it was just 23,400 accounts, 12,700 pre-2007 credit card records and 10,700 direct debit records.

Now the count is up to 24.6 million.

24.6 million accounts accounts from SOE plus 77 million accounts from the PlayStation Network brings the stolen accounts tally over the 100 million mark.

For perspective, if each of those accounts represented a single individual, the total would surpass in population the Philippines, the 12th most populous country in the world.

So as the PlayStation Network is about to lurch into its third week of being down,  I fully expect to not be able to log into any SOE game for a second night, and likely a few more nights after that.

Over at I, Cringely there is a post up looking at credit card security rules, Japanese society, and how Sony might get themselves out of this mess.  Sony cannot start running again until they lock down all this customer data, and it sounds like they have been slack on that so far so they have a lot of work to do.

And over at the EQ2 Wire, where they suddenly have very little on which to report besides “servers still down,” there is a poll up asking users to speculate when they think SOE games will be up and available to play.

The current going winner is Friday.

Is that optimism or pessimism?

16 thoughts on “SOE – The Drum Beat of Bad News Continues

  1. Troy

    This is a major debacle for Sony (didn’t even notice at first your pun of SOE as being Offline). I can only imagine that each day they remain down, more and more gamers will desert the ship.

    How much will this cost the company?

    At this point some senior people at SOE need to give their resignation. This problem did not just occur but has been a slow slide into utter negligence over years.

    Can we say Smedley needs to pony up his paper?

    Like

  2. Toldain

    A counterfeit card bearing the number I have on file with SOE was swiped in Mexico about two weeks ago. I have that number on file many other places. That number was cancelled, so tra-la-la, this causes no more grief to me.

    Like

  3. Pingback: Sony – Slowest Sinking Ship Ever. « JohnnyBGamer:.

  4. Wilhelm Arcturus Post author

    I did not include the multiple paragraphs of boiler plate at the end of the press release, but one of the standard items was mildly amusing. It mentioned the list of SOE game and invited readers to go to the main SOE website to learn more about them.

    The problem is, if you go to the main SOE web site right now, you will only get yesterday’s press release, which won’t exactly tell you much or give you warm fuzzies about SOE’s games.

    Meanwhile, I just got YESTERDAY’s press release in the mail from Sony, with YESTERDAY’s numbers. They have since added a few zero’s to the right of the initial number of compromised accounts.

    Like

  5. Mrrs

    I checked an old email address and discovered I did get an email from SOE – and it must be attached to my Everquest account, which is separate from my Everquest 2 account. Talk about an old credit card, no worries there.

    No email yet related to Everquest 2. Perhaps because I was still cancelled as of 4/16/11 ?

    Like

  6. Arieltalia

    I don’t own a Playstation and I’ve only subscribed to SOE games through their website.

    Anybody know if I’m at risk as well or is it only the Playstation database that got hacked?

    Like

  7. Wilhelm Arcturus Post author

    @Arieltalia – If you have created a station account, then your information has likely been stolen.

    If you only play their Facebook games and have never actually signed up for a station account, then you are probably okay.

    Like

  8. Jay

    Rift is missing the boat on this one.. Free week to tryout their game would probably net them a few more paying customers

    Like

  9. Wilhelm Arcturus Post author

    @Jay – Well, the sub-ether third-hand scuttle-butt rumblings seem to indicate that Smed has decided “Screw this two weeks of down time shit” that his SCEA masters seem fine with and is trying to get servers going tonight, tomorrow at the latest.

    Totally unsubstantiated, but I’d bet nobody in SOE San Diego is sleeping tonight in any event.

    Like

  10. SynCaine

    @Jay: While I’m all for a competitive market, that would be a pretty dirty move IMO. Kicking someone when they are already down is pretty bad form (and should be left to bloggers who hate SOE for EQ1 bringing Trammel to UO back in 99).

    Plus, I’m sure SOE players are out looking anyway.

    Like

  11. Blame The Thief

    For all of you bashing Sony over this. Let me ask you a question.

    When you hear that a thief broke into your local Walmart and stole all the cash customer credit card information, who do you blame more: Walmart or the thief?

    Why is it then, that just because this is a digital crime, that the thief is somehow less culpable than the company he stole from?

    It pisses me off that so many people think that you somehow have a right to hack something and that it’s the company’s fault if someone steals from them.

    If someone robs a jewelry store, it’s the damn thief’s fault, not the jewelry store manager. In the case of the Sony theft, the CRIMINAL broke into private property and broke the law. The same level of blame should be placed on him in the digital world as would be placed on a thief in the physical world.

    Like

  12. Blame The Thief

    Again, who do you blame if someone breaks the lock on your front door in the middle of the night and makes off with your property? Should we all go around bashing you for being an airhead for not putting up electric fences and guard dogs? Or should we go grab the thief and lock him up?

    Sony HAD security in place. Was it perfect? No. NO SECURITY IS PERFECT. The point is that we need to place the heaviest blame where it should go: on the person that BROKE THE LAW, and stop blasting every company on the internet that made a mistake.

    I’m so sick of the entitlement culture on the internet. Did you realize that every time you land on someone’s website, you are on their property? They have a RIGHT to kick you off, or make any rules within reason to protect themselves.

    You have no right to hack into someone’s system, or intrude into their -private- private property, in the same way that you have no right to open the cash register at someone’s gas station.

    Seriously, this Sony bashing makes me so angry. This could have happened to any company or anyone’s private property, in the digital or physical world. That’s what thieves do. It doesn’t make it any more acceptable because the thief did it online.

    Like

  13. Wilhelm Arcturus Post author

    @BTT – Well, having some passing familiarity the the Payment Card Industry requirements and best practices, it seemed pretty clear to me that Sony wasn’t taking this sort of thing as seriously as they could have or should have, especially with the group Anonymous loudly threatening to take Sony down. There was a fiduciary responsibility here that Sony was shirking. We gave them sensitive data and they promised to keep it safe.

    Or, to put the whole thing into a crude analogy merely for illustrative purpose, and not for direct comparison, if your car gets stolen, you blame the thief. But if you left the keys in the ignition, don’t expect a lot of sympathy. And if I left something in your trunk, expect me to be high on the list of the unsympathetic.

    That said, you are correct, there does seem to be an awful lot of people jumping on Sony to pay and very little call for the actual criminals to be brought to justice.

    Like

  14. Blame The Thief

    #14

    I am a full-time web developer. I do this stuff for a living every day. I know that every security system has vulnerabilities. A determined hacker can get through anything, eventually, if he really wants to.

    Sony did not metaphorically, “leave the keys in the ignition”. It DID have security in place and that security was breached.

    I’m not saying that Sony couldn’t have done better – but so could just about any company on the planet, physical or otherwise, that holds sensitive information. I’m saying that people need to stop hammering on Sony like this and use some common sense.

    I’m not sure why people seem to believe that a physical thief breaking a lock on a store and robbing it, is any worse than a thief breaking a digital “lock” on a server and robbing it. Perhaps it has to do with people not understanding that web security is not any less secure than physical security. Or maybe it has to do with people having an axe to grind with Sony. Whatever the reason, people need to stop with the dog-piling on Sony.

    It’s not just Sony though, every time a news story comes out about a thief breaking through digital security, it seems we live in a culture where we want to throw all the blame on the company. It’s the reverse in the physical world – why is that?

    Like

  15. Wilhelm Arcturus Post author

    @BTT – And I have spent 20 years in enterprise software and have had to work within security compliance requirements dictated by VISA and MasterCard. Sorry to say, but Sony did fail to meet specific points in those requirements, something even they admit.

    And with Anonymous threatening to hack them, a group with a track record that shows they do not make idle threats, Sony seemed to have taken a rather passive stance in light of a very real threat.

    So, in my view, Sony gets some of the blame. “It could happen to any company” is a rationalization, not an explanation.

    I suspect neither of us will convince the other when it comes to determining the amount of culpability Sony holds in this situation, so there is no need for another half dozen paragraphs. Let us concentrate, perhaps, on common ground.

    I do agree with you fully, as I said previously, that there seems to be far too little emphasis on who did the actual break-in and in bringing them to justice.

    I imagine that it many ways it simply boils down to “Hackers Still At Large” isn’t as exciting of a headline as “Sony Loses Your Credit Card Data,” and it being easier for a politician to criticize a big corporation for losing data than it would be for that politician to actually become knowledgeable about the issues surrounding cyber crimes.

    How do we fix that?

    Like

Voice your opinion... but be nice about it...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s