The Sony data breach story just keeps getting worse and worse. News reports yesterday stated that Sony had discovered in its continuing investigation into the Playstation Network breach that apparently the hackers had also been able to initially penetrate Sony’s Online Entertainment (SOE) servers and possibly stolen information from some 24.6 million customer accounts, bringing the total number of compromised accounts to over 100 million.
The Sony press release on the latest (or currently first known breach) also said that:
“…information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.”
Sony went on to say that:
“We apologize for the inconvenience caused by the attack and as a result, we have:
1) Temporarily turned off all SOE game services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.”
Sony has declined to appear today before the US House Subcommittee on Commerce, Manufacturing, and Trade to discuss the data breach(es), but said it would be responding to the questions (PDF) sent to it by the subcommittee last week. Sony said that it was too busy with its ongoing investigation to appear.
Epsilon, which had a major data breach of its own recently, also declined to testify, although it has reportedly already answered subcommittee questions about its breach. There was no reason given as to why Epsilon declined to appear. My guess is that it didn’t want to be the only piñata in the room.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.