Sony confirms users’ data compromised in breach (update)

By and on

Sony has confirmed the worst possible scenario of its 70+ million users on its PlayStation Network – their users’ data has been compromised after an external and unauthorised intrusion on its network that has seen a wide-scale outage on its online multiplayer network.

Sony says users’ name, addresses, country, email address, birthdate and your credit card information – including billing address, and purchase history – have been obtained during the unauthorised intrusion. Sony has also said that your secret answers to your account may have been taken in the attack.

“Sony will not contact you in any way, including by email, asking for your credit card number, social security, tax identification or similar number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking,” Sony has said in an email to all customers.

“When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.”

Sony has also contacted a security firm outside of the company to conduct a full investigation, however, they state they knew that data has been compromised only yesterday after the outside firm revealed the scope of the damage.

This has caused outrage amongst PlayStation Network users, as seen on our comments on recent updates on the outage. Of course, we strongly urge our readers to contact their financial institutions and make sure that they ask them to monitor your account or change details in order to prevent fraud.

UPDATE – 28 April (Chris Southcott): In another FAQ, Sony appears confident that credit cards are safe.

The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Please note, all comments will be heavily moderated for content. Please make sure you keep the debate civilised.