Fury at Sony's delay in telling millions their details were hacked

PlayStation users left uninformed for five days after world's largest data theft
Click to follow
The Independent Tech

Sony was battling to contain an escalating public relations disaster last night after the hardware giant revealed that personal details of more than 77 million PlayStation customers have been stolen in one of the world's largest data thefts.

Sophisticated criminal hackers are believed to have broken into Sony's PlayStation Network more than a week ago and made off with vast quantities of personal information, including players' names, dates of birth, email, passwords and addresses.

The company also revealed that credit card information may have been stolen as its experts try to uncover the full extent of the hack.

The PlayStation Network, which allows gamers to play and purchase games over the web, has been offline for the past eight days. But it took Sony until Tuesday evening to inform customers that their details may have been stolen.

After days of silence Sony finally revealed in a blog post that an "illegal and unauthorised person" had breached the company's security systems to steal personal data and that its experts "could not rule out the possibility" that credit card numbers have also been taken.

Industry analysts and gamers yesterday reacted with dismay that such a profound data breach was kept secret for so long.

James Holland, editor of Electric Pig, told The Independent: "The fact that Sony took more than five days to inform people that their data may have been stolen is nothing short of appalling."

Gamers flocked to internet forums to vent their fury, threatening to return Sony products and close down any accounts they hold with the gaming giant.

Users speaking to The Independent said they were deeply concerned about how the attack might affect their other online passwords and accounts. One, Tom Calverley, said that he was "very angry" about what he called a "fiasco".

The Glasgow PlayStation owner and blogger Jon Brady said Sony should have "taken more care to secure our passwords and other personal information", but said that he thought the firm had been "unlucky".

Sony refused to say whether it would offer refunds to customers who took to its official online forums demanding their money back.

Some customers said they wanted to return their hardware and cancel any subscriptions they had taken out, but the company would only say: "When the full services are restored and the length of the outage is known,we will assess the correct course ofaction."

Analysts have described the hack as one of the world's largest data thefts.

"This is certainly one of the biggest breaches in terms of the sheer amount and type of data taken," said George Campbell, a technology lawyer at McGrigors. "It is a huge problem for Sony in terms of negative publicity."

Although it is still not clear whether credit card details were taken, cyber security experts warned that much of the information already accessed by the hackers is a goldmine for criminal networks.

"Even without the credit card numbers this information can be used by criminals," said Rik Ferguson, a cyber security expert at Trend Micro. "Unfortunately many people duplicate passwords across websites, they often use the same password as the one on their email. Those who think their data may have been stolen need to change their online passwords straight away."

Yesterday the Information Commissioner's Office announced that it would question Sony about the breach. Equivalent authorities in Australia and the United States said they would also investigate the data theft.

When rumours of a hack first surfaced a week ago, speculation centred on Anonymous, the shadowy "hactivist" network behind a string of high-profile ideological cyber protests. But Anonymous has denied being behind the breach as suspicion instead falls on sophisticated criminal networks, probably based somewhere in eastern Europe.

A tempting target for hackers

* Dreamt up in 2006 as a way for PlayStation gamers all over the world to be able to play against each other, the PlayStation Network (PSN) is an online service provided by Sony. As long as they have a broadband connection, customers can use the service to connect with other users and play games together, as well as to chat to each other and visit webpages. Users can also download and buy games, add-ons and videos from the PSN Store.

* Subscription to the service itself is free, but users still provide credit card details because certain services, such as the PSN Store, charge a fee for downloads. Last June, a premium sister service called PlayStation Plus was launched, offering exclusive content to subscribers for a fee. Besides their login details, users are also required to provide home addresses, email addresses, and dates of birth – information that can be highly useful to identity fraudsters.

* The service has amassed 77 million users in the five years since it was launched, 3 million of them in Britain.

* Sony only allows authorised products to be used over the service, but some users have found ways of "jailbreaking" their consoles to allow them to use pirated products. One was sued over such allegations and there was speculation that the legal action against him was the motivation behind last week's attack.

Q&A: Do criminals have my credit card details?

Q. I have a Sony PlayStation. Should I be worried?

If you've used a credit or debit card to buy content, your account may be compromised. The fears are that all the 3 million or so British PlayStation users have been hit by hackers.

Q. What does compromised mean?

It means that crooks may have your plastic card details. Sony has admitted that hackers have stolen names, addresses, email addresses, birth dates and logins and passwords, but has yet to say if financial details have been stolen.

Q. Should I cancel my credit card?

There's no need to panic. If as a result of hackers' activity money is stolen from your account, it should be returned by your bank or cardcompany.

Q. So I don't need to do anything?

That depends. If you use your PlayStation password elsewhere, you should change it right away. In any event, it's good practice to change your password regularly to cut down the possibility of fraud.

Q. Once I've switched password, do I have any reason to worry?

Not really. You should monitor your account for unusual activity and tell your bank if you see any strange payments. Also be on the lookout for phishing emails. Banks never ask for passwords or PINs. If anyone else does, refuse and tell your bank or card company.