April 26, 2011, 4:27 PM — In an update on the Playstation Blog today, Sony's Sr. Director, Corporate Communications & Social Media Patrick Seybold confirmed our worst fears: your Playstation Network info may have been stolen.
Here's the most impactful part of the post (though I urge you to click through and read the whole thing):
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Seybold urges members to be particularly aware of the potential for phishing and other scams in the days to come.
As to restoration of the Playstation Network, he says "some services" will be restored within a week.
Seybold offers apologies and asks for the patience of Sony's customers, but offers no explanation for why it has taken them this long to make a public statement about the stolen data.
[Update: In a follow up blog post, Seybold says they were aware of the intrusion last week but not aware of the customer data being compromised until yesterday.]
This is truly a staggering public relations blow for Sony, one that may haunt it for years to come.
Update: Connecticut Senator Richard Blumenthal also wants to know why Sony took so long to inform customers of the breach, and thinks the company needs to do more for its customers. Here is the full text of a letter he has written to Sony President & CEO Jack Tretton:
April 26, 2011
Mr. Jack Tretton
President and CEO
Sony Computer Entertainment America
919 East Hillsdale Boulevard
Foster City, CA USA 94404
Dear Mr. Tretton:
I am writing regarding a recent data breach of Sony’s PlayStation Network service. I am troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections.
It has been reported that on April 20, 2011, Sony’s PlayStation Network suffered an “external intrusion” and was subsequently disabled. News reports estimate that 50 million to 75 million consumers – many of them children – access the PlayStation Network for video and entertainment. I understand that the PlayStation Network allows users to store credit card information online to facilitate the purchasing of content such as games and movies through the PlayStation Network. A breach of such a widely used service immediately raises concerns of data privacy, identity theft, and other misuse of sensitive personal and financial data, such as names, email addresses, and credit and debit card information.
When a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised. Additionally, PlayStation Network users should be provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Sony. Affected individuals should also be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.
PlayStation Network users deserve more complete information on the data breach, as well as the assurance that their personal and financial information will be securely maintained. I appreciate your prompt response on this important issue.
United States Senate