| Mail |
You might also like: WoW Insider, Joystiq, and more

Reader Comments (78)

Posted: May 2nd 2011 6:22PM Syesta said

  • 2 hearts
  • Report
Update on all SOE sites:

Customer Service Notification
May 2, 2011

Dear Valued Sony Online Entertainment Customer:
Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems. We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. Stolen information includes, to the extent you provided it to us, the following: name, address (city, state, zip, country), email address, gender, birthdate, phone number, login name and hashed password.

Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained - we will be notifying each of those customers promptly.

There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment.

We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.

We apologize for the inconvenience caused by the attack and as a result, we have:

1) Temporarily turned off all SOE game services;

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When SOE's services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your Station or SOE game account name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it:

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a "fraud alert" on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

Experian: 888-397-3742; www.experian.com; P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

You may wish to visit the web site of the U.S. Federal Trade Commission at www.consumer.gov/idtheft or reach the FTC at 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC. For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001; telephone (877) 566-7226; or www.ncdoj.gov. For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or www.oag.state.md.us.

We are committed to helping our customers protect their personal data and we will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs. The implementation will be at a local level and further details will be made available shortly in regions in which such programs are commonly utilized.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1 (866) 436-6698 should you have any additional questions.
Sincerely,

Sony Online Entertainment LLC

Posted: May 3rd 2011 3:02AM Interitus said

  • 2 hearts
  • Report
@Syesta

In terms of Sony as a whole SOE is a minor fish in a big pond. They already just went through a huge round of firings, this has the potential to take SOE down. Sony is only going to throw money at this for so long. There is the potential for more games to be shut down or development to stop on other games. The bad press and stoppage of business is not something they want hanging around.

And I think people aren't recognizing the impact in the rest of the MMO world. Do you honestly believe your are any safer with company X? Everyone had no problem with account security with SOE until something happened. Consider how safe you thought you were with SOE prior to this happening, do you feel that safe with other companies? It's been proven plenty of times that if a group is dedicated enough they can get through pretty much anyone's security. This could really hurt other developers and the genre in general.

There is nothing any of us can do right now except see how this rides out.
Reply

Posted: May 2nd 2011 6:25PM (Unverified) said

  • 2 hearts
  • Report
Uh-oh... Now that is disturbing news. I knew it was too good to be true that they had just stolen personal data.

Posted: May 2nd 2011 6:35PM darrenkitlor said

  • 2 hearts
  • Report
So, seppukku anyone?

I'm surprised Sony's protections were this vulnerable as I own both a PS3 and a separate SOE account. The PSN and SOE are different organizations under Sony's umbrella - it's surprising that all were hit (though likely due to shared data between PSN and SOE accounts).

Posted: May 2nd 2011 6:41PM Syesta said

  • 2 hearts
  • Report
@darrenkitlor
IIRC, SOE is as American as apple pie.
Reply

Posted: May 2nd 2011 6:57PM HokieKC said

  • 2 hearts
  • Report
@Syesta - No. They're still a subsidiary of Sony. SOE's really big decisions are made in Japan. Example, when SOE closed down those studios and fired all those people that was ordered from Sony.
Reply

Posted: May 2nd 2011 6:38PM (Unverified) said

  • 2 hearts
  • Report
Gee, and they told all their SOE customers to relax, that Station users didn't have to worry about the PSN attacks.

Anyone still willing to defend Sony now is out of their mind. I'm done with all their shit. What a friggin' joke.

Posted: May 2nd 2011 7:45PM aurickle said

  • 2.5 hearts
  • Report
@(Unverified)
Why? They're being up front here.

They had initially believed that only the PSN accounts were affected.

As soon as they found out that was not the case, they shut down all services and are working to not only make sure it can't happen again but also to notify those accounts that were affected. I know from elsewhere that people are receiving emails from Sony letting them know that their accounts were among the identified ones.

Meanwhile, they're also letting everyone know what's going on.

How is this bad? They couldn't tell us what they didn't know and they didn't know it was more than PSN until yesterday and they didn't know the extent of the damage until now. Seems pretty up front and honest to me.
Reply

Posted: May 2nd 2011 8:20PM absolutturkey said

  • 2.5 hearts
  • Report
@(Unverified) I'll defend Sony. So let me get this straight. You want to blame the victim here? Someone took the time and effort to ILLEGALLY hack Sony and you want to blame them? If someone hacks your computer, should we blame you? If I break into your house, is it your fault I broke in? Could Sony have been more careful? Sure. ALL OF US should be more careful in regards to security. But the whole "blame the victim" mentality not only does not help anyone, but it's just plain stupid. It's okay to be upset at the situation, but it would be wise to direct your anger to the people that are truly responsible.
Reply

Posted: May 2nd 2011 8:37PM (Unverified) said

  • 2 hearts
  • Report
@absolutturkey

Sorry, if anyone is being stupid, it's you and others who fail to pay attention to the whole story. Sony admitted that it was a known flaw that existed well before the hackers used it, along with the dev accounts that were left wide open by the last firmware update Sony did because their programmers are apparently incompetent tools, that was exploited. A known flaw they did nothing about because according to Sony even though the IT guys knew about it, management never heard about it and that is why they're hiring a "chief security officer" now.

Sony rolled out the red carpet for the hackers, whether they intended to or not. Sony is the major fault holder here, followed by the hackers.
Reply

Posted: May 2nd 2011 8:38PM Sean D said

  • 2 hearts
  • Report
@absolutturkey

I think the overall assessment that's being made here is this: Sony has proven themselves incapable of protecting our personal information. I think it's wise for people to reconsider their associations with Sony after these events. And after reconsidering, if you choose to continue your relationship with Sony, you're just as welcome to do so as those who decide to discontinue their relationships with Sony. Placing blame here is irrelevant as the deed is already done.
Reply

Posted: May 2nd 2011 9:49PM starbuck1771 said

  • 2 hearts
  • Report
@absolutturkey
in the end though do you think SOE will reimberse the lost time to their subscribers? Hell no.
Reply

Posted: May 2nd 2011 10:24PM aurickle said

  • 2 hearts
  • Report
@starbuck1771
Have you even read the press release or the other comments already in this thread?

Sony is not only reimbursing their subscribers with a day of extra time for every day that's lost, they're also reimbursing a full month in addition to that.
Reply

Posted: May 2nd 2011 10:31PM Kaoss said

  • 2 hearts
  • Report
@aurickle
Are you really that stupid/naive? So what if they're being up front about it. YOU ARE PAYING THESE PEOPLE TO TAKE YOUR ACCOUNT INFORMATION AND KEEP IT SAFE. What right do they have to ask you for personal information, money and credit card details and tell you that this information will be kept safe and private when clearly that's not the case.

This is a bajillion $$ company they can afford the tools and resources to protect your sensitive information but they have clearly failed. I have never played a Sony game so I am not affected but I seriously feel sorry for everyone caught up in this and seeing clueless people try defend Sony's ass with "Oh they were hacked we should feel sorry for them".

Tell me if you have a bank account with $1,000,000 sitting in it and your bank company gets hacked wiping all accounts clean of any money in it are you going to be defending the bank? No of course not, it is their job to keep your money safe, just as it is Sony's job to keep your private details safe.
Reply

Posted: May 2nd 2011 11:25PM aurickle said

  • 3 hearts
  • Report
@Kaoss
I work in the software industry. My own company has come under attack numerous times despite being small potatoes as a target compared to the likes of SoE with their 26 million customers. The simple truth is that if a computer is connected to the internet there is no such thing as 100% secure.

Look at Microsoft. Massive company (larger than SoE) with huge numbers of employees and a product that's been out and in ongoing development for decades. Yet hardly a week goes by that there's not another update and most of these updates have to do with correcting possible security flaws. And how do they learn about most of these flaws? From someone outside Microsoft discovering them.

Then again, look at something like the Pentagon. One of the biggest budgets in the world with arguably the broadest talent pool to draw from. They get attacked and some of those attacks do succeed. And that's only something as "paltry" as national defense at stake. Heck, the missile silos housing our ICBM's are operated using computers and technology that wherever possible is deliberately kept decades old. Why? Because that security was far less vulnerable than today's systems.

It would be nice to live in a 100% secure world, but that world doesn't exist. ANY time you put your personal information on a machine that is connected to the internet you are putting your information at risk. Period. And the larger the company you entrust with that information, the larger the target is painted on it. The moral of "War Games" is very much true here: The only way to win... is not to play.

You can crucify Sony if it makes you feel any better, but the fact is it could have happened to any company. I've seen at least a half dozen major security breaches reported online in as many months. We just saw it with MMO's only a couple months ago with Rift. Expect to see this sort of story pop up more and more in the coming months and years. Cyber crime has become arguably the most lucrative form of crime in the world, both because it can be so profitable and because it's so hard to catch the criminals. That makes it attractive to anyone with a larcenous streak and the slightest technical knowhow.

In fact, it takes very little knowhow at that. These days you don't even need to be connected to the internet for your credit information to be at risk. There are devices that can skim the information off your card while it's in your wallet as you walk by. Which brings me right back to my original point: No matter how hard companies might work to protect your information, there is no such thing as 100% secure.

Get used to it.
Reply

Posted: May 3rd 2011 1:50AM Space Cobra said

  • 2 hearts
  • Report
@aurickle

I am with Aurickle in this: It is the day ANY company that is connected online is not fully secure. Merchants and banks have these types of break-ins. Even Microsoft is not invulnerable to it. Microsoft tends to be very closed-lipped about such security breaches, too.

I am not happy about it, but that's why I try to be as safe as possible wherever I game. This whole "we need your info to market to you" is really BS. My cc info is safe, because I choose to buy/use point cards instead of the ease of credit cards.

If you make things too easy for a customer, you make it easy for a thief.
Reply

Posted: May 5th 2011 1:20PM watchawatch said

  • 2 hearts
  • Report
@aurickle
They didn't just get information, THEY GOT EVERYTHING. No I'm sorry, but you working in the 'industry' know that is inexcusable. Attacks happen. But complete and utter failure with a long period of not letting customers know what happen? Sony is absolutely to blame for negligence and failure to safeguard its customers information.

I will NEVER give Sony anything ever again. They have lost my business and they earned it.
Reply

Posted: May 2nd 2011 6:41PM gerB said

  • 2 hearts
  • Report
Sony, I am disappoint.

Posted: May 2nd 2011 6:43PM Fakeassname said

  • 2 hearts
  • Report
2007 isn't that bad, most credit/debit cards expire within 2 years so a goodly portion of that data will be completely redundant.

Posted: May 2nd 2011 7:04PM Yellowdancer said

  • 2 hearts
  • Report
@Fakeassname

Erm, didn't old cards used to last for 5 years before renewal?
Reply

Featured Stories

MMO Week in Review: It is your Destiny

Posted on Jul 27th 2014 6:00PM

One Shots: The green marble

Posted on Jul 27th 2014 10:00AM

Engadget

Engadget

Joystiq

Joystiq

WoW Insider

WoW

TUAW

TUAW