As feared, the situation has gone form bad to worse for Sony. The company shut down Station.com yesterday morning, and Sony Online Entertainment has since confirmed that the PC service was compromised in the same attack that brought down the PSN on April 16
. Sony has admitted that hackers gained access to personal information in 24.6 million Station.com accounts, as well as an additional 12,700 non-U.S. credit card numbers and 10,700 direct debit records of customers in Austria, Germany, Netherlands and Spain.
Sony issued a press release as soon as they learned that the breach had taken place and informed the 24.6 million affected customers that the lost information included names, addresses, e-mail addresses, birthdates, genders, phone numbers, login names, and hashed passwords. The compromised credit card data includes card numbers and expiration dates (but not security codes), with approximately 4,300 of the 12,7000 numbers originating from Japan and the remainder located in the aforementioned European countries.
Amazingly, however, things actually could have been much worse for Sony. All of the credit and debit records were on “an outdated database from 2007,” which means that much of the credit card information may not even be valid and – as with the PSN – Sony insists that there is no evidence to show that their current credit card servers have been compromised. Given the nature of the press, Sony may also be secretly thankful that the hacked accounts are located in Europe. That’s obviously small consolation to people who live in the affected countries, but – as unfair as it might be – it might mitigate the backlash here in North America.
Of course, that doesn’t even come close to exonerating Sony, and the lost debit accounts are still an extremely troubling concern. The hackers grabbed bank account numbers, customer names, account names, and customer addresses, and people don’t change bank accounts as often as they do credit cards, so chances are good that at least a few of those 10,700 names have information that a criminal might find appealing.
To apologize for the attack, Sony will add a full 30 days of free playtime to every Station.com subscription. They’ll also be compensating fans with one additional day for every day that the system stays down, and a “make good” plan for customers of DC Universe Online and Free Realms is also in the works.
Station.com and the PSN operate as separate systems, but after a bit of digging Sony confirmed that the two attacks were related, saying that, “there is some degree of architecture that overlaps. The intrusions were similar in nature. This is NOT a second attack; new information has been discovered as part of our ongoing investigation of the external intrusion in April.”
To ensure customer security in the future, Sony will offer complimentary assistance to people looking to sign up for identity theft protection services at a local level. The details for the proposed scheme have not yet been revealed.
And for the moment, that’s pretty much it. If someone has been shopping credit card numbers, it’s possible that they came from Station.com and not the PSN, although it’s probably all the same to Sony. The company will have to do even more damage control, and they can only hope that people will start to forget about the incident once the PSN is back up and running.