Sony has issued a statement in an attempt to calm growing anger over its handling of the current PSN crisis. Given that the service has been down since last week, and that Sony knew of a security breach as early as the 19th, questions have arisen as to why it took the company until yesterday to inform users of the potential threat to their personal details.
“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised,” explained Patrick Seybold, Senior Director of Corporate Communications & Social Media (via the PS Blog).
“We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.”
Sony issued an email to PSN users yesterday:
“We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained.”
“While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
If you currently use your PSN email, username, or password combination on other online accounts, Sony recommends that you change them. In response to calls for refunds from consumers, the company has said that it “will assess the correct course of action” when “the full services are restored and the length of the outage is known”.
Sony has come under fire from consumer groups and even a US politician over the breach; Paul Gibson, Chairman of UK consumer pressure group Gamers’ Voice issued the following statement today:
“It is astonishing that it has taken Sony so long to confirm the disturbing news that they are potentially the source of stolen credit card information. We are sure that Gamers would at least have appreciated the warning of the possibility much earlier that a full week after the event took place. We see no reason why such a warning could not have been made earlier and can only presume that Sony were attempting to 'save face'. We note that many parties are now putting pressure on Sony to provide explanations, including a US Senator. We are contacting the Information Commissioner in the UK to see what powers they have to investigate this matter further, and hopefully to force some answers into the spotlight.”
The Information Commissioner’s Office (ICO) oversees data protection laws in the UK, and has the power to prosecute companies that commit offences under the legislation.
"Any business or organisation that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure." a spokesperson for the ICO told Eurogamer today.
"We have recently been informed of an incident which appears to involve Sony. We are contacting Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office."
More as we get it...