As we mentioned last week, things just keep getting worse for Sony. Hackers gained access to their Playstation Network’s backend on April 19th, and the service (along with on-demand service Qriocity) has been offline since a few days after the attack.
A few days ago Sony released a statement saying the illicit intruders would have had access to user details such as names, addresses and passwords. Sony also said that credit card details “may have been obtained”. Now chatter in hacker forums and some reports by security analysts seem to have confirmed that credit card details were indeed lifted.
As the Guardian notes, security expert Kevin Stevens tweeted –
“The hackers that hacked PSN are selling off the DB. They reportedly have 2.2 million credits cards with CVVs”
However, the claims of the database being complete with CVV numbers (the three-digit security number on the back of credit cards) has been disputed by some, as these details were never stored by Sony.
Regardless of the legitimacy of the claims, some PSN users are already seeing erroneous charges pop up on their cards. A number of Ars Technica readers have reported fraudulent activity – much of it located in Germany.
Sony are doing their best to deal with the tidal wave of criticism crashing over them, holding a number of Q&A sessions on their Playstation Blog, detailing what has been happening since the network was taken offline, what will happen once it resumes service, and whether patient PSN users will be rewarded for the downtime (“We are currently evaluating ways to show appreciation for your extraordinary patience”).
The FBI has stepped in to assist Sony with the investigation into the malicious activity, meanwhile a House of Representatives subcommittee has sent a letter to Sony asking for more details on the attack – presumably to make sure the data was in fact being held securely and Sony wasn’t in dereliction of its data security duties.
One thing’s certain for Sony – this is going to get worse before it gets better.