Sony Corp. said Monday that hackers may have taken personal information from an additional 24.6 million user accounts after a review of the recent PlayStation Network breach found an intrusion at a division that makes multiplayer online games.
The data breach comes on top of the 77 million PlayStation accounts it has already said were jeopardized by a malicious intrusion, for a total of more than 101 million.
The latest incident occurred April 16 and 17 — earlier than the PlayStation break-in, which occurred from April 17 to 19, Sony said.
About 23,400 financial records from an outdated 2007 database involving people outside the U.S. may have been stolen in the newly discovered breach, including 10,700 direct debit records of customers in Austria, Germany, the Netherlands and Spain, it said.
Names, bank account numbers
The outdated information contained credit card numbers, debit card numbers and expiration dates, but not the three-digit security code on the back of credit cards.
The direct debit records included bank account numbers, customer names, account names and customer addresses.
Company spokeswoman Taina Rodriguez said Sony had no evidence the information taken from Sony Online Entertainment, or SOE, was used illicitly for financial gain.
"We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1 we concluded that SOE account information may have been stolen and we are notifying you as soon as possible," Sony said in a message to customers.
Sony said that it shut service Monday morning to Sony Online Entertainment games, which are available on personal computers, Facebook and the PlayStation 3 console. Its most popular games include "EverQuest," "Free Realms" and "DC Universe Online."
The company said it will grant players 30 days of additional time on their subscriptions, along with one day for each day the system is down. It is also creating a "make good" plan for its multiplayer online games.
Promise of better security
On Sunday, Sony executives bowed in apology and said they would beef up security measures after an earlier breach caused it to shut down its PlayStation network on April 20.
"We deeply apologize for the inconvenience we have caused," said Kazuo Hirai, chief of Sony's PlayStation video game unit, who was among the three executives who held their heads low for several seconds at the company's Tokyo headquarters in the traditional style of a Japanese apology.
The company is working with the FBI and other authorities to investigate what it called "a criminal cyber attack" on Sony's data centre in San Diego, Calif.
The company said it would offer "welcome back" freebies such as complimentary downloads and 30 days of free service to PlayStation customers around the world to show remorse and appreciation.
PlayStation spokesman Patrick Seybold, in a blog post Monday, denied a report that said a group tried to sell millions of credit card numbers back to Sony.
Blow to company
He also said that while user passwords had not been encrypted, they were transformed using a simpler function called a hash that did not leave them exposed as clear text.
Yoh Mikami, a writer specializing in electronic security in Japan, said Sony's network business had suffered a serious blow as people were seeing its reliability as plunging. He said Sony also waited too long, more than a week, to tell users what had happened.
"What became clear today is that Sony didn't even know its server had a vulnerability," said Mikami. "Sony's crisis management came too little, too late."