Sony Playstation suffers massive data breach; firm criticized

By Isabel Reynolds and Liana B. Baker

TOKYO/NEW YORK (Reuters) - Sony Corp suffered a huge breach in its video game online network that allowed the theft of names, addresses and possibly credit card data belonging to 77 million user accounts, in one of the largest Internet security break-ins ever.

Sony said it learned of the breach in its popular PlayStation Network on April 19, prompting it to shut down the network immediately. Sony did not tell the public about the stolen data until Tuesday, hours after it unveiled its first tablet computers in Japan.

Executives at the tablet launch in Tokyo made no mention of the network crisis when the glossy devices were unveiled, nor at a later briefing with journalists. The tablets, which come in two sizes, will be the first to enable the use of PlayStation games and mark Sony's ambitious drive to compete with Apple's year-old iPad.

An "illegal and unauthorized person" obtained names, addresses, email addresses, birth dates, user names, passwords, logins, security questions and more, Sony said on its U.S. PlayStation blog.

A Sony spokesman said it took "several days of forensic investigation" after learning of the breach before the company knew consumers' data had been compromised.

The news sparked fury among some users.

"If you have compromised my credit information, you will never receive it again," read one message on the PlayStation Network blog from a user under the name Korbei83.

"The fact that you've waited this long to divulge this information to your customers is deplorable. Shame on you."

Sony is the latest Japanese company to come under fire for not disclosing bad news quickly.

Tokyo Electric Power Co was criticized for how it handled the nuclear crisis after the March 11 earthquake. Last year, Toyota Motor Corp was slammed for being less than forthright about problems over a massive vehicle recall.

U.S. Democratic senator Richard Blumenthal sent a letter to Sony asking it to explain why it didn't notify PlayStation owners sooner. Sony has also reported the breach to the Federal Bureau of Investigation, the New York Times reported.

The shutdown of the PlayStation Network prevented owners of Sony's video game console from buying and downloading games, as well as playing with rivals over the Internet.

Sony said it could restore some of the network's services within a week.

Alan Paller, research director of the SANS Institute, said the breach may be the largest theft of identity data information on record.

The online network was launched in the autumn of 2006 and offers games, music and movies to people with PlayStation consoles. It had 77 million registered users as of March 20, a Sony spokesman said, almost 90 percent of them in Europe or the United States.

Sony shares fell 2.0 percent in Tokyo in a broader market up 1.4 percent.

MAJOR SETBACK

The breach is a major setback for the electronics giant. Although video game hardware and software sales have declined globally, the PlayStation franchise is a substantial profit source and remains a flagship product for Sony.

It will be a blow for Kazuo Hirai, who was appointed to the company's No. 2 position last month after building up Sony's networked services.

The crisis could also overshadow Sony's plans to launch a new hand-held games device, the Next Generation Portable, by the end of the year.

"This will have regulators concerned about security, it will have consumer organisations concerned, it will have some gamers concerned."

How fast Sony can bounce back depends on a number of factors, said Ricardo Torres, editor-in-chief of Gamespot.com.

"It depends how soon the network comes up, but more importantly how Sony deals with their user base," Torres said. "Some kind of compensation has to be provided. 'Sorry' doesn't cut it for a lot of consumers at this point."

"The big question that will come up is what they're doing for security," he added.

Sony said children with accounts established by their parents might have had their data exposed.

It said it saw no evidence credit card numbers were stolen, but warned users it could not rule out the possibility.

"Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," Sony said.

Analysts said that while Sony has notified customers of the breach, it had still not provided information on how user data might have been compromised.

"This is a huge data breach," said Wedbush Securities analyst Michael Pachter, who estimated Sony generates $500 million in annual revenue from the service. "The bigger issue with Sony is how will the hacker use the info that has been illegally obtained?"

Sony has hired an "outside recognized security firm" to investigate. It said user account information for the PlayStation Network and its Qriocity service users was compromised between April 17 and April 19.

The Japanese firm declined to comment on whether it was working with law enforcement officials.

SECURITY RISK

Paller said Sony probably did not pay enough attention to security when it was developing the software that runs its network. In the rush to get out innovative new products, security can sometimes take a back seat, Paller added.

"They have to innovate rapidly. That's the business model," Paller said. "New software has errors in it. So they expose code with errors in it to large numbers of people, which is a catastrophe in the making."

He suspected the hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony's customers. They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC.

Hackers have stolen personal data in the past from large companies. In 2009, Albert Gonzalez pleaded guilty to stealing tens of millions of payment card numbers by breaking into corporate computer systems at companies such as 7-Eleven Inc and Target Co. of the United States.

Sony said its users could place fraud alerts on their credit card accounts through three U.S. credit card bureaus, which it recommended in its statement.

The company has struggled for years to control the activities of the hackers who make up a portion of PlayStation's fanbase.

Earlier this month, games fan website PlayStation Lifestyle said a group calling itself Anonymous had conducted attacks on Sony websites and online services, motivated by revenge for the company's attempts to clamp down on hacking.

(Additional reporting by Victoria Thieberger in Sydney, Tim Kelly in Tokyo and Jim Finkle in Boston; Editing by Lincoln Feast, Anshuman Daga and Dean Yates)