April 30, 2011

Is Playstation Network Personal Data For Sale?

Hackers claiming responsibility for a recent huge security breach of Sony's online gaming network said they are now trying to sell PlayStation owners' credit card details, according to a report by the NY Times.

The discussions discovered on hacker forums suggest that as many as 2.2 million credit card numbers, as well as names, addresses, usernames and passwords, could have been stolen. Some hackers have even said they are trying to sell the list for $100,000 plus.

The claims were relayed by security researchers trying to find out more about the breach through the underground forums. So far the claims are unverified.

After disclosing the breach on Tuesday, Sony Corp. said that the unencrypted details of some 77 million PlayStation Network and Qriocity users were stolen, but was unaware that a separate encrypted data table of credit card info was accessed.

The company said on Thursday that it was working with investigators in the wake of the "internal intrusion" that resulted in the theft of personal data worldwide.

Sony shut down the PlayStation Network and the Qriocity music streaming service on April 19, and will restore the services only after the company is confident the network is secure, said Sony spokesman Patrick Seybold.

"We want to be very clear that we will only restore operations when we are confident that the network is secure," Seybold wrote on Thursday in a blog posting on the PlayStation website.

Security researcher Kevin Stevens said a database of 2.2 million PlayStation Network credit cards was being offered for sale on hacker forums. He said that sellers also claimed to have the three-digit security codes from the back of the cards.

Although he said he "never saw the database" so he couldn't verify that it was authentic.

Forum postings also claimed the hackers tried to sell the data back to Sony, but did not receive a response.

"Sony is saying the credit cards were encrypted, but we are hearing that the hackers made it into the main database, which would have given them access to everything, including credit card numbers," Mathew Solnik, a security consultant with at iSEC Partners, told the New York Times.

Researchers believe the hackers most likely gained access by first hacking a PlayStation console, which they used to infiltrate Sony's servers, Solnik said.

Even without credit card data, the theft is already considered among the biggest in history and Sony is likely to face numerous lawsuits over its security procedures.

Although the network has been shut down indefinitely, users can still purchase games, or connect to other players in multiplayer games across the cloud-based network.

Sony has already been sued over the breach and could face further legal action across the world.


On the Net: