Report Button

Awareness

News

PlayStation data theft hits 77m gamers

Rik Ferguson is both a PlayStation user and a computer security expert and spoke to the BBC's Rory Cellan-Jones about what the breach means for gamers

Sony has warned users of its PlayStation Network that their personal information, including credit card details, may have been stolen.

The company said that the data might have fallen into the hands of an "unauthorised person" following a hacking attack on its online service.

Access to the network was suspended last Wednesday, but Sony has only now revealed details of what happened.

Users are being warned to look out for attempted telephone and e-mail scams.

In a statement posted on the official PlayStation blog, Nick Caplin, the company's head of communications for Europe, said: "We have discovered that between April 17 and April 19 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network".

The blog posting lists the personal information that Sony believes has been taken.

  • Name
  • Address (city, state/province, zip or postal code)
  • Country
  • E-mail address
  • Date of birth
  • PlayStation Network/Qriocity passwords and login
  • Handle/PSN online ID

Mr Caplin added: "It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

"For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information."

Credit cards

Sony admitted that credit card information, used to purchase games, films and music, may also have been stolen.

"While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility," Mr Caplin said.

"If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained."

Sony has not given any indication of how many PlayStation Network users may have had their information taken, but the service has around 77 million members worldwide.

Investigation

The UK's information commissioner, Christopher Graham, said that his organisation had already begun investigating the Sony hack.

He told BBC Radio 4's "You and Yours" programme, that it looked like "a very significant breach of data protection law".

The Information Commissioner's Office (ICO) has the power to impose fines of up to £500,000.

However, Mr Graham stressed that his ability to take action would ultimately depend on whether data from the PlayStation Network was stored in the UK - something he was still trying to establish.

"It if turns out that it is our responsibility here in the UK, we would ask 'were the security measures appropriate'," he added.

'PR Disaster'


The theft of so much detailed customer data would be seen as a "public relations disaster", according to Graham Cluley, senior technology consultant at security firm Sophos.

"This is a big one," he told BBC News.

"The PlayStation Network is a real consumer product. It is in lots of homes all over the world.

"The impact of this could be much greater than your typical internet hack."

Mr Cluley warned that, even without credit card details, the information taken was enough to help criminals carry out further attacks on other services.

"Some people will use the same passwords on other sites. If I was a hacker right now, I would be taking those e-mail addresses and trying those passwords," he said.

User anger

PlayStation users got their first indication that something was wrong with the service when it became unavailable on Wednesday 20 April.

In the following days, Sony issued three brief statements asking users to be patient while it investigated an "external intrusion", or hack. Technology Correspondent Rory Cellan-Jones on Sony's statement

 

However, the fact that it took almost seven days for the company to reveal that data had been taken has angered some gamers.

Commenting on the Sony blog, Tacotaskforce wrote: "You waited a week to tell us our personal information was compromised? That should have been said last Thursday."

Another user Sid4peeps wrote: "This update is about 6 days late. I think it is time to move to the other network, no regard for customers here."

But some PlayStation users appeared to be happy with Sony's handling of the matter. Ejsponge61 commented: "Wow, this is alot of info. Thanks, this is very much appreciated by all of us PlayStation fans."

The Sony PlayStation Network remains unavailable to users. The company has not said when service will be restored.

Source: BBC News