Things went from bad to worse for Sony (and its customers) yesterday. In addition to the ongoing effort to recover from the PSN data breach and outage, now Sony Online Entertainment has discovered that some of its data, too, was compromised. Let's look at each situation in turn.
SCEA (the Sony PS3/PSN branch) posted another update to the Playstation blog attempting to clear up some of the misinformation being spread about the breach. One story that has been making the rounds is that a group of crackers offered to sell the stolen data back to Sony. On the blog Sr. Director, Corporate Communications & Social Media Patrick Seybold clarified:
We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list.
(My understanding is that the rumor was started when a security expert lurking in an IRC channel or forum frequented by crackers saw some anonymous users making this claim. The expert relayed the story, emphasizing that he had no knowledge of whether or not the info was legitimate, but of course the internet ran with it, leaving his caveats in the dust.)
Seybold also clarified the situation with the passwords that were stolen. Sony said the information wasn't encrypted, which led to many blog commenters deriding the company for storing passwords in clear text. Seybold wanted to make users aware that the passwords were not encrypted but they were hashed (pretty standard practice for passwords). The rest of the personal data was in clear text, though.
Seybold also reiterated Sony's apology to its users.
So now let's talk about Sony Online Entertainment. This is the branch of Sony that runs, among other things, MMOs like Everquest 2, Free Realms and DC Universe Online. The SOE servers were in the same data center as the PSN servers but were otherwise separate systems, but in the course of investigating the PSN breach it was discovered that there'd been an intrusion into the SOE servers as well (part of the same attack).
The SOE system was immediately taken down, and as of the time of this writing (Tuesday morning) remains down. They've put up a web page to keep customers updated.
SOE has begun notifying affected customers of this breach. The company says that data from approximately 24.6 million accounts that may have been stolen. That data includes: name, address. e-mail address, birthdate, gender, phone number, login name and hashed password.
SOE ensures us its main credit card database is stored in a separate and secure environment. So once again personal data stolen, credit cards not. With one glaring exception. There was apparently an old database (from 2007) on the compromised servers that held 12,700 non-US credit card numbers and expiration dates (but not CCV codes) and 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain. This database may have been stolen. Sony is reaching out to everyone in this database to make them aware of what has happened.
Most of SOE's products carry a monthly subscription of about $15/month, and SOE has already stated that they are giving all subscribers a free month of service plus an additional day for every day the system is offline.
For more details on the SOE side of this breach, please see Sony's press release.