Six days after a security breach of its PlayStation Network, Sony said Tuesday that the incursion was much worse than expected and hackers had obtained personal information on 70 million subscribers.
The company, in a blog entry posted Tuesday afternoon, added it is still unsure if the intruder also obtained credit card data for members who have that on file with the service, which provides online functionality for the PlayStation 3.
"Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID," wrote Patrick Seybold, senior director of corporate communications for Sony Computer Entertainment America. "It is also possible that your profile data, including purchase history and billing address … and your PlayStation Network/Qriocity password security answers may have been obtained. … While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."
Sony says the attack has led it to begin rebuilding the system. It expects to restore some services within a week.
The company is urging subscribers to be on alert for identity theft attempts as well as email, telephone and postal scams. (Users can contact the three major U.S. credit bureaus — Experian, Equifax and TransUnion — and have their accounts put in "high alert" status for no charge.) It is also advising them to change their password when service is ultimately restored.
Sony's stock was down about one percent in after-hours trading. Click here for latest after-hours quote.
Analysts say they don't believe investors will punish the company substantially, given that this was an external attack and not the result of an internal error.
"Any time you have a break of fidelity like that, it's an issue," said Mike Hickey of Janco Partners. "It's pretty clear that someone has taken an illegal action to make a point. So do I hold Sony to blame for that? No. But should Sony have better security to protect their subscribers personal information? Probably."
So far, no hacker group has claimed responsibility for the attack. The rogue group known as Anonymous, which has famously launched attacks on both Gene Simmons and Hustler Magazine, was initially suspected, after it vowed in early April to target Sony after the company's legal action against a hacker who dismantled the PS3's security.
The group managed to disrupt the service with a Distributed Denial of Service (DDoS) attack earlier this month. (Anonymous attackers, using software known as “Low Orbit Ion Cannons,” repeatedly pinged the company's servers. When done simultaneously by enough users, this can bring the site down — usually quickly and without warning.)
However, Anonymous denies responsibility for this incident, saying on its site, "While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and does not take responsibility for whatever has happened."
While consumers impacted by the hack are Sony's first priority, the continued outage of the PlayStation Network is also impacting its developer partners (both internal and external).
The company released "SOCOM 4," a multiplayer focused action game that is traditionally one of its biggest franchises, last week. Additionally, the eagerly anticipated "Portal 2," which comes with a co-operative mode, also hit store shelves last week — with an integration of Valve's Steam online service into the PlayStation Network being touted as one of the chief reasons to opt for the PS3 version of the game, rather than the Xbox 360 version.
The company has reportedly vowed to help some of the game makers who are seeing their revenues dry up.
"Sony will be helping us retain key focus (PSN store promotion) for a few extra weeks as they understand how something like this can affect a small dev studio like ours," said Paddy Murphy, CEO of Open Emotion told IGN.
The outage and data breach could give Microsoft an advantage in the online gaming space, as its Xbox Live service has never suffered such a compromise. Unlike Microsoft, which requires a $60 annual subscription fee for access to most features of its Xbox Live service, Sony does not charge most users for access to the PlayStation Network. (A PlayStation Plus program is available, giving early access to demos, priority invitations to game beta tests and discounts on products in its online store.)