Hackers posting on underground forums claim the data stolen from the PlayStation Network includes user names, addresses, dates of birth, credit card numbers, expiration dates and card verification value numbers (CVV). Brian Krebs of Krebs on Security linked to a host of screenshots from hacker forums from his Twitter feed that illustrates the dialogue on the forum. Other reports claim that hackers are boasting they have credit card information from more than 2 million customers.
Sony, meanwhile, has yet to confirm the data was actually stolen, but says some of the accessed data was encrypted. From a Sony FAQ on its website:
“All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”
Sony shut down the popular gaming network for more than a week after the breach was detected April 17.
A class-action suit against Sony was filed yesterday in San Francisco alleging damages from the breach. The complaint seeks payment for damages, payment of credit monitoring fees and refunds from Sony and Qriocity its movie and game-streaming service provider, Bloomberg reported yesterday.
Legislators have also chimed in. Rep. Ed Markey (D-MA) and Rep. Mary Bono Mack (R-CA) want more details from Sony on the breach and Mack says the incident could prompt introduction of another consumer data protection bill. Sony says it is in the process of upgrading the security of its network infrastructure and has hired an unnamed security company, working in conjunction with law enforcement, to conduct forensics investigations.
A recent Ponemon Institute report on the cost of a data breach estimates the cost at $214 per lost record, a 5% jump over the last report. More than 77 million records may have been breached in the Sony attack.