Sony Computer Entertainment has released a statement finally explaining why its PlayStation Network service has been down most of the past week, saying that an illegal intrusion into its network has compromised its database of user account information.
In a PlayStation Blog statement
by SCEA's Patrick Seybold, the company claims an unauthorized entry into both the PlayStation Network and Sony's music and video service Qriocity was made by an unnamed group that compromised "certain...user account information."
According to a letter
currently being sent to all of Sony's registered account holders, the company believes that "an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID."
Other compromised information across the PlayStation Network includes "purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers."
Sony says that while there is no evidence of credit card info being stolen, the company "cannot rule out the possibility," and advises users who have connected a card to their accounts that credit card numbers and expiration dates (though not security codes) may have been obtained by a third party.
Sony's letter goes on to suggest actions an affected user should take, including being vigilant about communications that ask for personal information, changing any passwords shared with a user's PSN account, and contacting U.S. credit bureaus to issue a fraud alert.
Sony has clarified to Gamasutra that this information seems to apply to all accounts, with Seybold telling us "Our investigation indicates that all PlayStation Network/ Qriocity accounts may have been affected."
PlayStation Network services are expected to be resumed within a week, says Seybold, after its system undergoes a "re-building" to provide better protection.
Sony has updated its support site with a FAQ
about the attack.
In an official statement to Gamasutra, the company also said that it didn't wait nearly a week to alert users that their personal information was compromised -- that revelation only came on Monday, SCEA said.
"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised," the company explained. "We learned there was an intrusion April 19th and subsequently shut the services down."
"We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident," the statement continued. "It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday [April 25] to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon [April 26]."]