Sony disclosed today that the breach affecting its PlayStation Network (PSN) that saw 77 million records lost was larger than they originally thought. Not only were the details of PSN users stolen, but another 24.5 million records related to users of Sony Online Entertainment were stolen as well.
Sony Online Entertainment (SOE) is the division of Sony responsible for many of their popular online role-playing games like DC Universe Online and Star Wars: Clone Wars Adventures. As in the PSN breach, the lost information included names, addresses (city, state, zip, country), email addresses, gender, birthdates, phone numbers, login names and hashed passwords.
In news perhaps worse than the disclosure from two weeks ago, Sony is saying that 12,700 credit and debit cards and expiration dates of non-US customers and 10,700 direct debit accounts (bank account numbers) for users in Germany, Austria, Netherlands and Spain may also have been stolen.
Unlike the credit cards from PSN, which Sony assured the public were encrypted, no mention was made in Sony’s press release about the information from SOE being protected.
Sony was quick to note that the passwords had been hashed, but has not disclosed which hashing algorithm was used and whether they used a salt when calculating the hashes.
Sony mentioned that the lost credit/debit card information and direct debit banking information was stored in an “outdated database from 2007.”
WHAT??!?! How many locations on your network are housing other “lost” financial data? Do you even know where my information is to check whether it has been stolen?
Whether Sony’s bad practices are an act of hubris or simply gross incompetence is hard to discern. Let’s hope for the sake of Sony’s customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.
It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime, it is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe.
For more information on how to keep your data safe, visit our Data Loss and Regulations site to download free tools, papers and other advice on keeping your data safe.