As if the PSN debacle earlier this year wasn’t enough, Sony has announced that 93,000 of their online accounts have been accessed by a(n) unauthorized user(s). That’s a big number, but 93,000 actually makes up less than one-tenth of one percent (0.1%) of their total user base. Of the 93,000 accounts breached, 60,000 are from PlayStation Network (PSN) and Sony Entertainment Network (SEN). The other 33,000 are from Sony Online Entertainment (SOE).
Sony has locked out all of the affected accounts and are investigating the security breach. Philip Reitinger, VP & Chief Information Security Officer for Sony Group, assures that very little damage has been done:
“Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them. Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorised purchases made to restore amounts in the PSN/SEN or SOE wallet.
I’m not privy to any more details, but that actually does reassure me a little. The way I read this statement, Sony had enough early notification of the breach to lock out most of the accounts before any unauthorized purchases were made. It’s also important to note that it appears their recent security upgrades to separate users’ credit card information from the rest of the account was successful. Reitinger’s statement indicates that only the funds currently in the accounts’ wallets was at risk, not the owners’ credit card information. If you were one of the unlucky 0.1%, and, even more unlucky, had additional activity prior to lockout of your account, they’re going to work with you to restore those lost funds. Which is all well and good, except you still had your account hacked less than a year after Sony had one of the most extensive hacking cases to date!
I’m glad to see Sony has taken steps to protect our information. I’m glad to know that they were able to freeze these accounts prior to any real damage being done. I’m glad they are taking swift and public action, not trying to minimize the damge (unless, of course, they are and I don’t know it yet). But this is pretty terrible. After the devastating PSN attack earlier this year, Sony made a lot of promises about their security upgrades. While I realize no system is 100% safe, I would expect Sony to have the type of security that would make “too big to fail” banks jealous. If only just to show their commitment to data protection.
In the meantime, for those of us not affected, let’s hope Sony is more vigilant and has taken further steps to prevent this from affecting us in the future. For those who were affected already, you should be seeing an email from Sony informing you that you’ll need to change your password. Remember, a strong password is your primary defense against intrusion, since you clearly can’t count on everyone’s internal security. Use a good mix of letters and numbers. Include symbols if they’re allowed. Mix up your upper and lower cases. I know how big of a pain it can be to have separate passwords for all of your accounts, but it’s a good safety measure. If you have “pa$$w3rd” to protect both your email and your PSN account, you’ve now had both of them breached. I hope it wasn’t your online banking password too.
EDIT: Sony has since clarified that the attempted breach came from an individual or group that were testing a massive number of log-ins with passwords against their network. Because of the number of failed attempts, it appears the information was not gathered from their databases. It would appear the 93,000 accounts breached used the same login and password combination on whatever service is the source of their information. Under these circumstances, I feel that Sony’s response time is actually quite admirable. And it appears the advice from my last paragraph is more apt than I had expected.