Hackers may have stolen the data of another 25 million Sony accounts, following last week’s announcement that data from 77 million PlayStation network accounts had been taken.
The Japanese electronics giant says its Sony Online Entertainment PC games network was hacked on 18 April – but the company did not learn about the security breach until early on 2 May. The service was shut down shortly afterwards.
Sony Online Entertainment, which is separate from the company’s PlayStation video game console division, allows computer users to play multiplayer games over the internet. Games affected include EverQuest and DC Universe.
On 27 April users of Sony’s PlayStation Network, which enables PlayStation 3 and PlayStation Portable console users to buy and play games online, were warned that their personal details might have been compromised.
Yesterday Sony said it had put in place measures to avert another such cyber-attack.
It’s an unprecedented, malicious attack that has led to this. David Wilson, Sony UK
The corporation believes the names, addresses, emails, birthdates, phone numbers and other information from 24.6 million PC games accounts may have been stolen from its servers, which are based in San Diego, California.
Head of Sony PR in the UK David Wilson told Channel 4 News: “I think we would have probably told you prior to this that our security was as good as any. But it’s an unprecedented, malicious attack that has led to this.
“We won’t know yet who’s behind this. The FBI and others are trying to establish the fact. But the point is that it’s on an unprecedented scale.”
How to improve your online security
It's certainly true to say that any concentration of data, particularly data related to financial transactions represents an attractive target to criminals, online merchants, financial institutions and the like should not feel that they are immune, writes Rik Ferguson of Trend Micro.
Unfortunately, the fact that 100 per cent security is an unattainable goal is a fact of life. Businesses base their security strategy on a risk management approach. They should be investing the correct budget to secure the asset with respect to its value and the impact a potential breach would have.
Some vulnerabilities, whether internal or external will always remain. I certainly expect to see businesses increasing their investment in Intrusion Prevention technologies, both network and server based and above in data encryption technology. That way, even in the event of a successful breach any data is useless to the attacker.
There are also things that consumers can take advantage of which are not being fully realised right now. Many credit card providers offer "one time credit card numbers" which are valid only for a single purchase. These are specifically designed for online shopping. Also, systems such as PayPal offer consumers a means to make purchases without disclosing their financial details to the vendor.
Users should also pay closer attention to their own security mechanisms such as using unique complex passwords for all important online services and making sure that things such as their security questions, often used for password reset procedures, are truly secure. Remember, you are almost certainly not the only person that knows your mother's maiden name for example. Answers to these questions do not have to truthful, only memorable!
As regards the data stored by Sony, what I am seeing right now is that any financial data was encrypted, which certainly mitigates much of the risk. In addition, data such as passwords was also not in cleartext but was obscured using a technique known as hashing. Both encryption and hashing come in many flavours, though, and simply stating that something was encrypted or based is no guarantee of security.
Commenting on the latest Sony security breach, Rik Ferguson, director of security research at Trend Micro, said: “Unfortunately, the fact that 100 per cent security is an unattainable goal is a fact of life.
He advised concerned consumers to take advantage of “one time credit card numbers” offered by some cred card providers. “These are valid only for a single purchase and are specifically designed for online shopping.”
As far as Sony’s own security is concerned, Rik Ferguson notes: “What I am seeing right now is that any financial data was encrypted, which certainly mitigates much of the risk. In addition, data such as passwords was also not in cleartest but was obscured using a technique known as hashing.
The fact that 100 per cent security is an unattainable goal is a fact of life. Rik Ferguson, Trend Micro
“Both encryption and hashing come in many flavours, though, and simply stating that something was encrypted is no guarantee of security.”
The latest breach may also have led to the theft of 10,700 direct debit records from customers in Austria, Germany, the Netherlands and Spain and 12,700 non-US credit or debit card numbers.
A Sony spokesperson has confirmed that the company cannot be certain whether other data could also be at risk. “They are hackers. We don’t know where they’re going to attack next,” said Sony’s Sue Tanaka.
In addition, the latest security lapse has forced Sony to suspend its Sony Online Entertainment games on Facebook.