Sony executive Kaz Hirai said tonight that the number of exposed credit card numbers in the PlayStation Network hacker attack was about 10 million. But the Japanese company still does not know if those card numbers were actually stolen and if hackers are trying to use them in fraudulent purchases.
Hirai said that authorities are looking into the matter and that he could not yet say what the damages are from the incident, where hackers penetrated the servers of the PlayStation Network, which has 77 million registered users. The hacker attack is one of the worst in corporate history, and it could make a lot of people and corporations pause as they shift their data and operations to the web-connected cloud.
The 10 million figure of potentially stolen credit card numbers is lower than the 77 million number because not everyone who logs into the network makes a purchase. Much of Sony’s services on the PSN are free, so many users go online on the network without ever using adding their credit card information. Some users have created more than one account. So the number of people affected is less than 77 million.
Meanwhile, in the U.S., the Federal Bureau of Investigation is investigating the hacker attack. Other government law enforcement agencies are working on the case in other countries. The company said that the credit card numbers were encrypted, and investigators have found no evidence that hackers looked at the data related to the cards.
Sony said the vulnerability exploited by the hackers was a known one, meaning Sony should have known about it. The attackers broke into a web application server, made a tool to give them unauthorized access, and used that tool, Sony said.
Sony chose not to describe the exact attack because it did not want that information used to launch more attacks. Hirai said compromised credit card numbers have not been used so far. As for criticism that Sony acted too slowly, Hirai said that it acted as swiftly as it could. He said the company engaged three security firms to fix the problem immediately. He said it took time to analyze all of the data and that was why it took so long.
“As we became more certain of the information, we communicated to the users,” Hirai said.
Stopping the system took time — more than Sony expected. There was also a voluminous amount of information that Sony had to analyze.
Don't let cyber attacks kill your game! Join GamesBeat's Dean Takahashi for a free webinar on April 18 that will explore the DDoS risks facing the game industry. Sign up here.