Sony admitted today that it had a second major breach of its data security for PC online games. Sony Online Entertainment, a publisher of massively multiplayer online PC games, acknowledged today that hackers broke into its online game network and stole personal data of users. As many as 24.6 million accounts may have been compromised.
This is in addition to the hacker attack that brought down the PlayStation Network for the PlayStation 3 and PlayStation Portable systems — an attack that exposed the personal information of 77 million registered users. Now a whole new set of customer credit cards may have been taken.
Sony said it discovered the breach of its PC online game company, Sony Online Entertainment, in the past 24 hours as it was investigating the other attack. The company took down the service — disrupting service for popular games such as Free Realms, EverQuest, EverQuest II and others.
“We deeply regret the inconvenience this has caused and appreciate your continued patience and feedback,” said a statement on Sony’s web site. Sony said that personal information that may have been stolen includes name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.
Customers outside the U.S. have also had further losses: the hackers got access to 12,700 non-U.S. credit card or debit card numbers from an older 2007 database. They also got access to 10,700 direct debit records listing bank account numbers. The people affected are in Germany, Austria, Netherlands and Spain. Sony said it is notifying those users immediately.
There is no evidence that Sony Online Entertainment’s main customer credit card database was compromised. That database is in a separate and secure environment, the company said. Sony said it previously thought SOE data was safe. For now, Sony has turned off its games, hired an outside security firm to conduct a full investigation, and taken actions to improve its security.
Sony advised users not to fall for phishing scams meant to extract more details from them such as credit card numbers or social security numbers. Sony said it will not ask its users for this information during the course of its investigation. When the services are restored, Sony says users should change their passwords. It also asks users to monitor their credit card statements. Sony says that, at no charge, users will be able to place a fraud alert on their accounts with credit bureaus in the U.S. Sony said it will offer a complimentary pass to enroll in identity theft protection services, with the details determined on a local level.