* Stolen data could include credit card information
* Birth dates, addresses, emails, names taken--Sony
* "Largest theft on record" of personal data--analyst
(Adds analysts comment, background)
By Liana B. Baker and Jim Finkle
NEW YORK/BOSTON, April 26 Sony suffered a
massive breach in its video game online network that led to the
theft of names, addresses and possibly credit card data
belonging to 77 million user accounts in what is one of the
largest-ever Internet security break-ins.
Sony learned that user information had been stolen from its
PlayStation Network seven days ago, prompting it to shut down
the network immediately. But Sony did not tell the public until
The electronics conglomerate is the latest Japanese company
to come under fire for not disclosing bad news quickly. Tokyo
Electric Power Co (9501.T) was criticized for how it handled
the nuclear crisis after the March earthquake. Last year,
Toyota Motor Corp (7203.T) was slammed for being less than
forthright about problems surrounding its massive vehicle
The "illegal and unauthorized person" obtained people's
names, addresses, email address, birth dates, usernames,
passwords, logins, security questions and more, Sony said on
its U.S. PlayStation blog on Tuesday.
The shutdown of the PlayStation Network seven days ago
prevented owners of Sony's video game console from buying and
downloading games, as well as playing with rivals over the
Alan Paller, research director of the SANS Institute, said
the breach may be the largest theft of identity data
information on record. [ID:nN26297307]
The breach is a major setback for the Japanese electronics
maker. Although video game hardware and software sales have
declined globally, the PlayStation franchise has been a steady
seller and remains a flagship product for Sony.
Children with accounts established by their parents also
might have had their data exposed, Sony said.
Sony said it saw no evidence credit card numbers were
stolen, but warned users it could not rule out the
"Out of an abundance of caution, we are advising you that
your credit card number (excluding security code) and
expiration date may have been obtained," Sony said.
Analysts said that, while Sony has notified its customers
of the breach, it still has not provided information on how
user data might have been compromised.
"This is a huge data breach," said Wedbush Securities
analyst Michael Pachter, who estimated Sony generates $500
million in annual revenue from the service. "The bigger issue
with Sony is how will the hacker use the info that has been
Sony said it has hired an "outside recognized security
firm" to investigate.
The company said user account information for the
PlayStation Network and its Qriocity service users was
compromised between April 17 and April 19.
Paller said Sony probably did not pay enough attention to
security when it was developing the software that runs its
network. In the rush to get out innovative new products,
security can sometimes take a back seat.
"They have to innovate rapidly. That's the business model,"
Paller said. "New software has errors in it. So they expose
code with errors in it to large numbers of people, which is a
catastrophe in the making."
He suspected the hackers entered the network by taking over
the PC of a system administrator, who had rights to access
sensitive information about Sony's customers. They likely did
that by sending the administrator an email message that
contained a piece of malicious software that got downloaded
onto his or her PC.
Hackers have stolen personal data in the past from large
companies. In 2009, Albert Gonzalez pleaded guilty to stealing
tens of millions of payment card numbers by breaking into
corporate computer systems at companies such as 7-Eleven Inc
and Target Co.
Sony said its users could place fraud alerts on their
credit card accounts through three U.S. credit card bureaus,
which it recommended in its statement.
Sony, a unit of Sony Corp (6758.T), said it could restore
some of the network's services within a week.
The company declined to comment on whether it was working
with law enforcement or other parties in its investigation.
The online network was launched in the autumn of 2006 and
offers games, music and movies to people with PlayStation
consoles. It had 77 million registered users as of March 20, a
Sony spokesman said.
(Reporting by Liana B. Baker; additional reporting by Jim
Finkle in Boston; editing by Robert MacMillan, Kenneth Li,
Bernard Orr and Andre Grenon)