An expert says she isn’t seeing evidence that thieves are using Sony payment data.
Sony Corp. is bringing back the online gaming services it suspended in late April after it detected a breach at its San Diego data center that resulted in the theft of personal information about more than 100 million customers.
Sony initially said hackers stole information on 77 million PlayStation Network customers, including names, addresses, e-mail addresses and birth dates. The company later said the attackers also obtained information from 24.6 million customer accounts at Sony Online Entertainment.
Sony now says the criminals may also have taken payment card data for upward of 10 million customers in the PlayStation hack and from more than 12,000 consumers in the attack on Sony Online Entertainment.
Julie Fergerson, vice president of emerging technologies at Ethoca Ltd., a payment security firm that tracks payment fraud, says she’s been analyzing fraud data to see if criminals have been making us payment data stolen from Sony, but so far she hasn’t seen anything she can definitively tie to the breaches. She says the Ethoca network is seeing a spike in payment fraud, but the spike began before the Sony breaches occurred and that the type of data being used to perpetrate the recent fraud isn’t of the type the hackers obtained from Sony.
“The spike we are seeing is where the criminals have all the data elements—names, addresses, credit card numbers, CVV numbers,” Fergerson says. CVV numbers refer to card verification values, typically a three-digit code that appears on the back of a payment card that helps e-retailers verify that a payment card is in a consumer’s possession during a card-not-present transaction. “I don’t think it is related to Sony, but that doesn’t mean the Sony hackers won’t use the data they got to phish.” Phishing is when a criminal sends e-mails that are made to look like they are coming from legitimate organizations and ask recipients for personal information. E-mails that contain personal information, such as a consumer’s address or date of birth, may appear more legitimate and thus lead more recipients to provide confidential information.
Sony earlier this week apologized for the breach and made available a “welcome back” appreciation package to gaming customers that offered a selection of free games and 30-day free upgrades to premium services. "We know even the most loyal customers have been frustrated by this process and are anxious to use their Sony products and services again," says Kazuo Hirai, executive deputy president, Sony Corp. "We are taking aggressive action at all levels to address the concerns that were raised by this incident, and are making consumer data protection a full-time, companywide commitment."
Sony also appointed Fumiaki Sakai, currently the president of Sony Global Solutions Inc., as acting chief information security officer. Sony Corp.’s SonyStyle.com is No. 14 on Internet Retailer’s Top 500 Guide and includes revenue from Sony’s PlayStation Network.