Play Station Network User Accounts Compromised Anonymous Denies Connection

Play Station Network User Accounts Compromised Anonymous Denies Connection

  • By: CM Boots-Faubert
  • Posted 27th Apr 2011

Sine Mora

Also for this game:

At some point in the dark of night -- or the light of day -- who can say? Err.. Sorry, yeah, at some point in either day or night nefarious crackers broke in to the Play Station Network and waltzed out with user data, including the credit card information attached to accounts.

The buzz online almost instantly turned to point fingers at Anonymous, the grass roots ad hoc organization that has been "protesting" against Sony using some rather original methods. After one of our staff received the email quoted below, we contacted members of the organizational committee at Anonymous this morning to ask specifically if this was one of their operations, and we were told in explicit and clear language that it is not.

The representative for Anonymous went on to say that: "Our mission is not to harm gamers or the customers of Sony, but to send the message to Sony that they cannot take the rights of gamers away with so little consideration. We would never intentionally cause harm to the people we are working hard to represent."

At this point what we do know is that after a delay of almost a full week between when the breach was detected and today, Sony called a "My Bad" and sent an email out to all of the subscribers for their service who they think might have been effected by the breach, a delay that very well may have added to the risks faced by subscribers of the service.

The fact that Anonymous is denying any link to this incident is actually bad news for Sony customers, because if the theft had been engineered by Anonymous in all likelihood the data would never be used for illegal purposes. As this breach appears to be the work of crackers, there is every likelihood that the data will be used, and is even now being sold via the large online credit card fraud underground.

According to security expert Roger Anderson, a stolen credit card number sells for $1, while a card with a three-digit code can sell for $5. When the thief has obtained additional security information, like mother's maiden name, home address, telephone number, date of birth, and the email address of the card holder the value of a number shoots up to $15. If the theft includes a working PIN the value of the stolen data shoots to as much as $200 per number.

By Sony's own admission in their notification email, the value for each of the customer accounts stolen falls in the $15 range, making it a certainty that the numbers and account details will have already been sent into the criminal networks whose business is credit card fraud.

Sony sent the following email to customers effected by the theft:



We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised. As a result of what we have found to date, we have:

1) Temporarily turned off PlayStation Network and Qriocity services;

2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and

3) Quickly taken steps to enhance security and strengthen our network infrastructure by rebuilding our system to provide you with greater protection of your personal information.

We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.

If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information.

If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well.

We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible. Sony takes information protection very seriously and will continue to work to ensure that additional measures are taken to protect personally identifiable information. Providing quality and secure entertainment services to our customers is our utmost priority. Please contact us at 1-800-345-7669 should you have any additional questions.

Sincerely,

Sony Computer Entertainment and Sony Network Entertainment




In addition to the above information they also provided a very detailed set of instructions on how to contact the three major credit reporting agencies and initiate an access freeze on your file.

Gaming Update will keep you advised as more information is made available by Sony, or develops from the victims of this theft.

COMMENTS