Sony Corp. said Tuesday that the credit card data of PlayStation users around the world may have been stolen in a hack that forced it to shut down its PlayStation Network for the past week, disconnecting 77 million user accounts.
Some players brushed off the breach as a common hazard of operating in a connected world, and Sony said some services would be restored in a week. But industry experts said the scale of the breach was staggering and could cost the company billions of dollars.
“Simply put, one of the worst breaches we’ve seen in several years,” said Josh Shaul, chief technology officer for Application Security Inc., a New York-based company that is one of the country’s largest database security software makers.
Sony said it has no direct evidence credit card information was taken, but said “we cannot rule out the possibility.”
It said the intrusion was “malicious” and that the company had hired an outside security firm to investigate. It has taken steps to rebuild its system to provide greater protection for personal information and warned users to contact credit agencies and set up fraud alerts.
“Our teams are working around the clock on this, and services will be restored as soon as possible,” it said in a blog post Tuesday.
The company shut down the network last Wednesday after it said account information, including names, birthdates, email addresses and log-in information was compromised for certain players in the days prior. Sony says people in 59 nations use the PlayStation network.
Purchase history and credit card billing address information may also have been stolen but the intruder did not obtain the 3-digit security code on the back of cards, Sony said. Spokesman Satoshi Fukuoka said the company has not received any reports yet of credit card fraud or abuse resulting from the breach.
Shaul said that not having direct proof of credit card information theft should not instill a sense of security, and could mean Sony just didn’t know what files were touched.
“They indicated that they’re worried about it, which is probably a very strong indication that everything was stolen,” he said.
If the intruder successfully stole credit card data, the heist would rank among the biggest known thefts of financial data.
Recent major hacks included some 130 million card numbers stolen from payment processor Heartland Payment Systems. As many as 100 million accounts were lifted in a break-in at TJX Cos., the chain that owns discount retailers T.J. Maxx and Marshalls, and some 4.2 million card numbers were stolen from East Coast grocery chain Hannaford Bros. Those attacks allegedly involved a single person- Albert Gonzalez, a Miami hacker who was sentenced last year to 20 years in prison for the attacks.
The Ponemon Institute, a data-security research firm, estimated that the cost of a data breach involving a malicious or criminal act averaged $318 per compromised record in 2010, up 48 percent from the year earlier.
That could pin the potential cost of the PlayStation breach at more than $24 billion.
Alan Paller, director of research for the SANS Institute, a security training organization, said that even if credit numbers weren’t stolen, knowing someone’s name, email address and which games he or she likes can lead to expertly crafted scam e-mails. Knowing billing histories can be even more harmful, since they can identify big spenders.
“If you know someone’s spent a lot on gaming, they could be a spectacular target,” he said.
The PlayStation break-in serves as a reminder of the danger of large-scale breaches, even as hackers gravitate toward smaller attacks that target specific, valuable data and are harder to detect.
The theft of credit card numbers has taken on a routine feel, even though instances of mega-breaches have been declining.
Verizon’s latest annual security report, one of the industry’s most authoritative analyses, found that the number of compromised records in cases examined by it and the U.S. Secret Service dropped from a record-breaking 361 million in 2008 to under 4 million last year.
The decline was the result of more targeted attacks, as well as the lack of major breaches to inflate the numbers.