This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Digital Top Stories
Sony PSN and Qriocity user databases hacked
By CMU Editorial | Published on Wednesday 27 April 2011
Sony has revealed that user information on the company’s PlayStation Network and its Qriocity music service was accessed by a hacker last week, including a great deal of personal information, possibly including credit card numbers.
Access to both the PlayStation Network and Qriocity were suspended on 20 Apr, with users notified that this was due to an “external intrusion” two days later, but the database compromise was only announced yesterday when it was uncovered by a security firm assessing the scale of the attack. It’s not clear how many accounts were stolen, but it is estimated that PSN and Qriocity collectively have up to 79 million users.
Qriocity, of course, powers Sony Entertainment’s Music Unlimited service, which launched in the UK and Europe last year, followed by the US, Australia and New Zealand in February, and provides streaming music through any net-connected Sony device. The PlayStation Network meanwhile allows PS3 and PSP console users to play multiplayer games online, plus gives access to a variety of services including the PlayStation Store, LoveFilm, VidZone and the BBC iPlayer.
In an email to users, Sony said: “We have discovered that between 17 Apr and 19 Apr 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network … Although we are still investigating the details of this incident, we believe that an unauthorised person has obtained the following information that you provided: name, address, country, email address, birthdate, PlayStation Network/Qriocity passwords and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address, and your PlayStation Network/Qriocity password security answers may have been obtained”.
Adding that there was “no evidence that credit card data was taken at this time”, the company admitted that it “cannot rule out the possibility”, saying that credit card numbers and expiry dates (though not the cards’ security codes) could have been stolen.
Many users expressed anger that it had taken so long for Sony to inform them that their personal data had been compromised. The company this morning assured users that it had not withheld news of the breach from them, saying: “There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion 19 Apr and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly yesterday evening”.
Despite these assurances, many users are understandably still upset at the company’s handling of the situation, and the fact that it was possible for hackers to gain access to the PSN databases at all. And the repercussions from this incident may have longer term effects.
Security firm Sophos’ senior technology consultant Graham Cluley told the BBC: “This is a big one. The PlayStation Network is a real consumer product. It is in lots of homes all over the world. The impact of this could be much greater than your typical internet hack. Some people will use the same passwords on other sites. If I was a hacker right now, I would be taking those email addresses and trying those passwords”.
Of course, the hacker in question has already had over a week to begin doing just that. Sony urged user “to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information”, but, as Cluley noted, the potential for someone to gain access to accounts on other unrelated services remains a concern, too.
Online security and identity theft consultant Robert Siciliano told The Telegraph: “If the bad guys have [username and password] information, they can use it to access social networking and banking accounts, and that’s where the problems begin. They can log into your email and change the password and go through looking for other accounts. There’s no end to what they can do. There’s enough data that the bad guys can turn that into cash with relative ease”.
Currently the PlayStation Network and Qriocity remain down, with Sony unable to comment on when they might return. This morning users were told: “We are taking the investigation seriously. We will keep the service down to allow us to conduct a thorough investigation and verify smooth operation of our network services but are working hard to resume the services as soon as we can be reasonably assured security concerns are addressed”.
Presumably other online services with large user databases are assessing their security procedures as we speak. I hope they are, anyway.
