Sony has said there is no evidence that credit cards have been stolen from customers using its online service, despite claims that a list of 2.2 million cards are already on sale on the black market. The company has also confirmed its separate Sony Online Entertainment PC games network was hit by another cyber attack, resulting in more personal information being stolen.
The theft comes on top of the 77 million PlayStation accounts taken in a cyberattack revealed last week.
This latest breach – of its Sony Online Entertainment PC games network – was discovered after a review of the PlayStation Network intrusion.
Sony said it occurred a day earlier than the PlayStation break-in between April 17 to 19.
The names, addresses, emails, birth dates, phone numbers and other information for 24.6m PC games customers were stolen from its servers.
Sony also said the financial records of users from an outdated 2007 database involving people outside the US may have been stolen, including 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain.
Credit Cards for sale?
However, Sony has refuted claims that the information from the 10 million credit cards registered with its PlayStation Network has been stolen by a hacker who penetrated the company’s online game service.
Security researchers who frequent criminal websites last week relayed unverified claims that a list of 2.2 million PlayStation Network users’ credit cards, complete with three-digit security codes, was on offer.
It was also said that hackers initially tried sell the stolen data back to Sony but were ignored.
Sony denied the claims on Monday.
“To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list,” said Nick Caplin, the firm’s head of communications in Europe.
Since Sony admitted last Tuesday that hackers had stolen the personal details of 77 million PlayStation Network users, attention has focused on the fate of the accompanying credit card data.
Sony did not confirm that credit card data was encrypted until Thursday, drawing criticism from security experts and customers worried about fraudulent transactions.
Sony said it is conducting a thorough investigation into the breach, while working with law enforcement to track down and prosecute those responsible for the attack.
The company said it is creating a new executive position of chief information security officer to oversee the protection of customer data. In addition, Sony said it will improve detection of future attacks and increase levels of data protection and encryption.
Other measures Sony plans to adopt include implementing additional firewalls, expediting a move to an already planned move of the system to a new data center and asking users to change their passwords upon signing onto the PlayStation Network.
‘Welcome back’ incentives
In a press conference conference, they stated that the PSN would be back up and running within the week and that it would offer a number of “welcome back” incentives as an apology.
Plans are currently in place to offer a number of yet-to-be-revealed free downloads in addition to 30-day free access to both PlayStation Plus and Qriocity, Sony’s on-demand streaming music, video, e-book and games service.
The company has said it plans to get the Playstation Network back up this week.