Sony Online Entertainment loses 12,700 credit cards, 24.6 million accounts compromised

Sony Online Entertainment has revealed it has "lost" 12,700 customer credit card numbers due to the breach of approximately 24.6 million accounts.

38

The fires at Camp Sony continue to be stoked, as Sony Online Entertainment has announced it has lost 12,700 customer credit card numbers as the result of an attack on its infrastructure, which saw the breach of approximately 24.6 million accounts.

"This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007," a press release revealed today.

As reported earlier today, SOE pulled the plug on its online service after it had learned of the attack late last evening. Today, SOE revealed the grim truth behind the situation: "approximately 12,700 non-US credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, the Netherlands, and Spain" have been lost. Apparently, according to the SOE release, the content was from "an outdated database from 2007."

Of the nearly 13,000 lost credit cards, 4,300 are allegedly from Japan, with the remaining aforementioned countries making-up the difference.

Sony Online Entertainment links the situation directly to the ongoing PSN attack, which has forced the PS3 and PSP online service offline since Wednesday, April 20. As neither service is connected, it is unclear how the two situations are linked, considering Sony had previously said the SOE services were safe.

Sony notes it is currently working "with the FBI and continuing its own full investigation while working to restore all services." The full press release from Sony Online Entertainment is available to read at SOE's official site.

Xav de Matos was previously a games journalist creating content at Shacknews.

From The Chatty
  • reply
    May 2, 2011 3:30 PM

    Xav de Matos posted a new article, Sony Online Entertainment loses 12,700 credit cards, 24.6 million accounts compromised.

    Sony Online Entertainment has revealed it has "lost" 12,700 customer credit card numbers due to the breach of approximately 24.6 million accounts.

    • reply
      May 2, 2011 4:25 PM

      So wait, no US cards were compromised AT ALL? That doesn't make much sense... Unless they are just holding back the US amount that they lost, which would be stupid.

      • reply
        May 2, 2011 4:27 PM

        This SOE situation, specifically, is based on credit card information in Japan and select European regions.

      • reply
        May 2, 2011 4:28 PM

        I hope that's true.....They'd be setting themselves up for more problems if they held those numbers back.

        • reply
          May 2, 2011 4:28 PM

          they might have to keep that data siloed by region due to privacy policies or something of the sort.

      • reply
        May 3, 2011 6:36 AM

        They said in the press release that the CCard information was on a separate, secure system from the one that was compromised.

    • reply
      May 2, 2011 4:48 PM

      Oops.

    • reply
      May 2, 2011 5:01 PM

      Heck its only a measly 12,700 cards so don't worry yourselves about it.

    • reply
      May 2, 2011 7:36 PM

      Why were they keeping a database of subscribers cards from 2007?

      • reply
        May 2, 2011 8:16 PM

        Are you serious?

        • reply
          May 2, 2011 10:47 PM

          Yes. They even said it was outdated. So why keep it?

          • reply
            May 2, 2011 11:55 PM

            to make it easier for people to resubscribe, why else do you think?

            when most cards expire the account number doesn't change... and it's obviously in their business interest to make resubscribing as frictionless a process as possible.

      • reply
        May 3, 2011 5:41 AM

        To me this suggests that a backup database / table was compromised.

    • reply
      May 2, 2011 8:15 PM

      As soon as i can get into my SOE account i'm removing my card, since they can't be trusted anymore.

    • reply
      May 2, 2011 8:16 PM

      [deleted]

    • reply
      May 2, 2011 8:43 PM

      Now that we got Bin Laden, maybe the CIA, and SEAL Team 6 can help the FBI catch the hackers.

    • reply
      May 2, 2011 9:04 PM

      [deleted]

      • reply
        May 2, 2011 9:10 PM

        sarcasm?

      • reply
        May 2, 2011 9:10 PM

        [deleted]

      • reply
        May 2, 2011 9:10 PM

        SOE isn't PSN. people pay for the MMO access

      • reply
        May 2, 2011 9:14 PM

        Oh watcherxp, u so silly.

      • reply
        May 2, 2011 9:16 PM

        [deleted]

      • reply
        May 3, 2011 12:00 AM

        [deleted]

        • reply
          May 3, 2011 12:08 AM

          [deleted]

          • reply
            May 3, 2011 12:33 AM

            we get it, you don't care about your privacy. That's evident from all your posts on the topic. Is it so hard to believe that some of us really, truly value ours?

            This isn't about the inconvenience of canceling a single credit card. Identity theft can take YEARS to completely sort out, and with all our personal information, answers to secret questions, etc. compromised we may be exposed for years to come.

            • reply
              May 3, 2011 5:49 AM

              A lot of the people on PSN are kids who have used their parent's details and credit card information. My guess is that they don't really care about this situation and just want to get back to shooting people in the face.

            • reply
              May 3, 2011 5:53 AM

              You are delusional about the level of control you have over that information, regardless of any security breach at Sony specifically.

              • reply
                May 3, 2011 6:43 AM

                Really? This argument again?

                "You don't really have any control over who has your personal information so why protect it?"

                The same reason you lock your house or your car. Sure, you're never going to stop someone who REALLY wants to get in but you can keep the idly curious out. Keep the honest, honest. And if you make it more difficult to get into your house, car or get your info you make it much more likely that the crooks will go after easier targets.

                • reply
                  May 3, 2011 7:23 AM

                  I don't disagree with that principle, just the reality of the world we now live in makes it pretty much an irrelevance. The physical security of your house or your car are things that exist within your own control, the security of your abstracted "data" identity are not in any meaningful sense.

                  I did a lot of work on privacy theory in college, then went to work for the monitoring dept of a cellphone network afterwards - all both experiences showed me is that if you interact with the internet, cell phones, credit cards etc at all then data privacy is a total delusion.

                  Not that you shouldn't care if Sony lose your data and they shouldn't be punished for it, but you should accept that by putting it out there it will get eventually get lost by someone and even if it isn't it will still be accessible by more people than you will ever have any awareness of. The idea that one specific breach exposes you to risks that you weren't already chronically exposed to doesn't hold up.

                  • reply
                    May 3, 2011 7:38 AM

                    indeed, the data is bought and sold to companies for targeting marketing. it's a big business, apparently

            • reply
              May 3, 2011 5:53 AM

              then don't even make an account then. It's a risk. Probably even more or less says so in the EULA.

      • reply
        May 3, 2011 12:27 AM

        You... you can read right? You know that SOE and PSN are separate networks, and SOE was for MMOs right?

      • reply
        May 3, 2011 5:54 AM

        [deleted]

      • reply
        May 3, 2011 6:43 AM

        it's funny cause you don't know what you're talking about :D

    • reply
      May 2, 2011 9:20 PM

      Waitaminute. I just noticed. "lost"? As in, Sony no longer has these card numbers themselves?

    • reply
      May 3, 2011 6:14 AM

      I don't think there can be any doubt now that Sony and its divisions are being specifically targeted for exploitation. It might not even be the end of it as Sony has its own e-commerce website that is probably ripe for the picking now. I'm kinda interested to see if a precedent gets set in terms of how this company (and others) reacts to hackers and crackers in the future.

      • reply
        May 3, 2011 6:45 AM

        Yes they are being targeted. But that doesn't excuse their poor security.

        • reply
          May 3, 2011 7:01 AM

          And what, everyone else is using better security than Sony, and are probably impenetrable? Don't kid yourself, this shit could happen to a LOT of businesses.

          • reply
            May 3, 2011 7:05 AM

            Sony fucking knew better than to be running production servers with Apache 2.2. I'm sorry, that's fucking inexcusable for a company running a Web-storefront.

            • reply
              May 3, 2011 8:28 AM

              They were also in the middle of building a new datacenter. So is it negligence? Or poor timing? Both? It's just ridiculous reading everyone's scathing remarks for Sony when this could have and has happened to other large companies.

              Also, it doesn't really make sense for this to be an attack on Sony. It sounds a lot more like someone is trying to profit from this information.

              • reply
                May 3, 2011 8:34 AM

                Are the comments any less scathing when it happens to other large companies?

          • reply
            May 3, 2011 7:37 AM

            I'm wondering if it will. Right now, Sony seems to be taking the brunt, but is everyone else's security really that much better? Could this not happen to any other major retailer?

            (I'm not being sarcastic. I honestly don't know)

            I imagine a lot of companies are taking a long hard look at their security protocols right now, though.

            • reply
              May 3, 2011 7:52 AM

              I doubt anyone like Amazon is running unpatched Apache 2.0 like Sony was.

          • reply
            May 3, 2011 7:52 AM

            [deleted]

          • reply
            May 3, 2011 8:42 AM

            Microsoft is. As we have repeatedly detailed they never exchange user information back to the client (Xbox 360). Their login method uses appropriate security where an encrypted tunnel is established, a login/password hash is passed from client (xbox) to server (Live) and if successful, a security token is returned that allows the client to connect.

            Never is user data exposed to the client.

            That's similar to how other login systems work. Sony's was not secured that way. Their system trusted the client.

            • reply
              May 3, 2011 8:50 AM

              not surprising given that MS was the target du jour years back. they took theirs and learned from it

    • reply
      May 3, 2011 6:39 AM

      so the breached accounts, what does it mean, they have your log info for you SOE MMO games?

      after changing a password and secret question what can they do?

    • reply
      May 3, 2011 7:08 AM

      [deleted]

    • reply
      May 3, 2011 8:07 AM

      Going to be interesting to see how Sony justifies keeping SOE services up while pulling down PSN if this was indeed part of the same attack.

    • reply
      May 3, 2011 12:57 PM

      SHOULD HAVE PAID FOR YOUR ONLINE HAHAHA GET A XBOX SONS

Hello, Meet Lola