Hackers are reportedly attempting to sell 2.2 million credit card numbers stolen from the PlayStation Network database between April 17 and 19. Sony posted a blog on Wednesday stating that customers’ personal data was encrypted, and there was no evidence at that time that credit card data was stolen; however, the company could not rule out the possibility.
By Thursday, security researchers had seen talk on underground forums of hackers hoping to sell credit card lists for as much as US$100,000, according to a report in The New York Times. The forum comments indicated that hackers possessed names, addresses, user IDs, passwords, credit card numbers and even credit card security codes. One hacker admitted trying to sell a list to Sony but did not receive a response. Multiple researchers have confirmed the underground discussions but could not verify the possession of stolen database information.
Sony: It’s Possible
On many forums, PlayStation customers have expressed anger over their inability to access the PSN, which is still down. On Wednesday, Sony said the system would be up within a week. However, the company has been slow to answer questions or provide details about how much personal information hackers have stolen.
“From a customer-confidence standpoint, plenty of people are rightfully interested in the details,” Richard Wang, manager of Sophos Labs USA, told TechNewsWorld. “Customers are concerned that their information is lost, and that possibly includes their credit card information. It appears that Sony did have the credit card information encrypted, but the company hasn’t confirmed whether the credit card information was stolen. They said it could have been accessed, but they didn’t say whether it actually was accessed.”
Sony has acknowledged that it is possible that credit card data was stolen and recommended that customers keep a close watch on card statements and check their credit reports.
“The hacker broke into the system and had access to the Sony database for passwords and addresses,” said Wang. “The financial information was probably on a different database, but once you’re in the system and effectively using it as a Sony insider, you may gain access to the credit card information as well.”
It took Sony a while to fully disclose the details of the crisis. If it is still withholding information, the company could be vulnerable to lawsuits as well as a tarnished image.
“How Sony recovers depends on a number of things,” said Wang. “They need to make sure they provide accurate information to their customers. If customers feel their credit cards have been compromised, they have to contact their banks and stop those credit cards. Sony needs to provide useful info to their customers so the customers can take that action with their banks.”
Sony can’t just say everything is fine, noted Wang. The customers still don’t have access to the network, and they don’t know if their credit cards are OK. “To an extent, the customers are a captive audience. If you have a PlayStation, the only system to you hook it up to is Sony.”
A Smack in the Face
Sony’s reaction to this crisis has made a bad situation worse, and it will have to do some serious damage control to repair its image.
“Sony did not disclose quickly enough, so that’s going to be a problem for them,” Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld. “They’ve taken a pretty hard image hit. For a company that is very conscious about image, it’s hard to see how they recover.”
This hacking incident isn’t the first time Sony has been on the spot with consumers.
“They had a battery problem before,” said Enderle. “Their batteries were catching fire, and they were slow to admit that. This slowness in disclosure opens them up to a lot of litigation.”
The hacking problem may be a mess that will take Sony a while to mop up — and it will likely be expensive.
“The number of lawsuits they will probably have to defend against will be huge,” said Enderle. “So far, nobody is known to have been compromised, but this attack was going after financial data, so customer credit card accounts are likely to be compromised in the future. That triggers Sony’s requirement to notify customers quickly, and it looks like they didn’t meet that requirement.”