8 Min Read
* Birth dates, addresses, emails, names taken - Sony
* Stolen data could include credit card information
* Says could restore some network services within a week
* Largest theft on record of personal data - analyst
* Sony shares fall 2 percent in strong market (Adds details, comments)
By Isabel Reynolds and Liana B. Baker
TOKYO/NEW YORK, April 27 (Reuters) - Sony Corp warned that hackers had stolen names, addresses and possibly credit card details from the 77 million user accounts of its video game online network, in one of the largest Internet security break-ins ever.
The Japanese electronic giant pulled the plug on the network on April 19 after finding out about the breach in its popular PlayStation Network, a service that produces an estimated $500 million in annual revenues.
Sony did not tell the public about the stolen data until Tuesday, hours after it had unveiled in Japan its first tablet computers.
Sony's delay in announcing the theft sparked an online furor from users, almost 90 percent of whom are based in Europe or the United States, and could push some users to rival Nintendo's Wii and Microsoft's XBox gaming devices.
"If you have compromised my credit information, you will never receive it again," read one message on the PlayStation Network blog from a user under the name Korbei83.
"The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you."
In a message posted on its U.S. PlayStation blog, Sony said an "illegal and unauthorized person" obtained names, addresses, email addresses, birth dates, user names, passwords, logins, security questions and more.
A Sony spokesman said that after learning of the breach it took "several days of forensic investigation" before the company knew consumers' data had been compromised.
Sony's executives made no mention of the network crisis at the tablet launch in Tokyo, when the glossy devices were unveiled, nor at a later briefing with journalists.
The tablets, which come in two sizes, will be the first to enable the use of PlayStation games and mark Sony's ambitious drive to compete with Apple's year-old iPad.
Sony is the latest Japanese company to come under fire for not disclosing bad news quickly.
Tokyo Electric Power Co was criticized for how it handled the nuclear crisis after the March 11 earthquake. Last year, Toyota Motor Corp was slammed for being less than forthright about problems over a massive vehicle recall. [ID:nN20150756]
U.S. Democratic senator Richard Blumenthal sent a letter to Sony asking it to explain why it didn't notify PlayStation owners sooner. Sony has also reported the breach to the Federal Bureau of Investigation, the New York Times reported.
The shutdown of the PlayStation Network prevented owners of Sony's video game console from buying and downloading games, as well as playing with rivals over the Internet.
Sony said it could restore some of the network's services within a week and issued a set of Frequently Asked Questions on its website to deal with queries about the network.
Alan Paller, research director of the SANS Institute, said the breach may be the largest theft of identity data information on record.
The online network was launched in the autumn of 2006 and offers games, music and movies to people with PlayStation consoles. It had 77 million registered users as of March 20, a Sony spokesman said.
Sony shares fell 2.0 percent in Tokyo in a broader market up 1.4 percent.
The breach is a major setback for the electronics giant. Although video game hardware and software sales have declined globally, the PlayStation franchise is a substantial profit source and remains a flagship product for Sony.
It will be a blow for Kazuo Hirai, who was appointed to the company's No. 2 position last month after building up Sony's networked services. [ID:nTOE729035]
The crisis could also overshadow Sony's plans to launch a new hand-held games device, the Next Generation Portable, by the end of the year. [ID:nTOE70Q05J]
"It's a red flag to a lot of people as to how Sony conducts its business," said Sue Cato, head of corporate communications advisers Cato Counsel in Sydney.
"This will have regulators concerned about security, it will have consumer organisations concerned, it will have some gamers concerned."
How fast Sony can bounce back depends on a number of factors, said Ricardo Torres, editor-in-chief of Gamespot.com.
"It depends how soon the network comes up, but more importantly how Sony deals with their user base," Torres said. "Some kind of compensation has to be provided. 'Sorry' doesn't cut it for a lot of consumers at this point."
"The big question that will come up is what they're doing for security," he added.
Sony said children with accounts established by their parents might have had their data exposed.
It said it saw no evidence credit card numbers were stolen, but warned users it could not rule out the possibility.
"Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," Sony said.
Analysts said that while Sony has notified customers of the breach, it had still not provided information on how user data might have been compromised.
"This is a huge data breach," said Wedbush Securities analyst Michael Pachter, who estimated Sony generates $500 million in annual revenue from the service. "The bigger issue with Sony is how will the hacker use the info that has been illegally obtained?"
Sony has hired an "outside recognised security firm" to investigate. It said user account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.
The Japanese firm declined to comment on whether it was working with law enforcement officials.
Paller said Sony probably did not pay enough attention to security when it was developing the software that runs its network. In the rush to get out innovative new products, security can sometimes take a back seat, Paller added.
"They have to innovate rapidly. That's the business model," Paller said. "New software has errors in it. So they expose code with errors in it to large numbers of people, which is a catastrophe in the making."
He suspected the hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony's customers. They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC.
Hackers have stolen personal data in the past from large companies. In 2009, Albert Gonzalez pleaded guilty to stealing tens of millions of payment card numbers by breaking into corporate computer systems at companies such as 7-Eleven Inc and Target Co. of the United States.
Sony said its users could place fraud alerts on their credit card accounts through three U.S. credit card bureaus, which it recommended in its statement.
The company has struggled for years to control the activities of the hackers who make up a portion of PlayStation's fanbase.
Earlier this month, games fan website PlayStation Lifestyle said a group calling itself Anonymous had conducted attacks on Sony websites and online services, motivated by revenge for the company's attempts to clamp down on hacking. (Additional reporting by Victoria Thieberger in Sydney, Tim Kelly in Tokyo and Jim Finkle in Boston; Editing by Lincoln Feast, Anshuman Daga and Dean Yates)