Has Sony PlayStation lost your credit card details?Sony data breach hits 77m PSN and Qriocity users

27 April 2011

Sony PlayStation Network

The PlayStation Network has been taken down after a security breach, which has potentially compromised up to 77 million users' personal details.

Sony PlayStation has admitted a huge breach in its video game online network. The name, address, date of birth and potentially the credit card details of up to 77 million users have been stolen in what is believed to be one of the biggest-ever online data breaches.

Sony PlayStation has come in for fierce criticism for the 7-day delay in announcing the breach, leaving customers at risk of identity fraud.

The company learned a week ago that PlayStation Network (PSN) and Qriocity user details had been stolen. While it did shut down the network immediately, it did not announce the breach until yesterday.

Where possible, Sony PlayStation has contacted customers it believes are affected by an email detailed further down this page.

  • UPDATE: Financial Fraud Action UK, the card industry's anti-fraud umbrella group, has stated that of the Sony PlayStation accounts compromised worldwide in the Sony PlayStation Network incident, 3 million are based in the UK.

What personal information has been compromised in the Sony PlayStation data breach?

Sony PlayStation believes that the following information provided by PlayStation Network (PSN) and Qriocity account holders may have been stolen:

  • Name, address, email address and date of birth
  • PlayStation Network/Qriocity password, login and handle/PSN online ID
  • Purchase history and billing address
  • If an account holder has authorised a sub-account for a dependent, the same data with respect to that dependent may have been stolen
  • If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may have been obtained

Take action if you think your details have been stolen

If you're a Sony PlayStation or Qriocity customer and think your details may have been stolen, there are steps you can take to protect yourself:

  • Check your bank account and credit card statements carefully. If you notice any unusual or unauthorised transactions, contact your bank immediately
  • Check your credit file. By ordering your £2 statutory credit reports from Experian, Equifax and Callcredit, you'll be able to spot if anyone has applied for credit in your name
  • Watch out for spam emails. Security breaches such as the Sony PlayStation one are likely to lead fraudsters to attempt to cash in on consumer panic. If you receive an email from Sony PlayStation asking for your PSN or Qriocity sign-in ID and password, do not reply. Sony PlayStation has confirmed that it will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information
  • Change your online passwords. Too many of us use the same online passwords for everything. If you use your PSN or Qriocity passwords for any other online activities, especially online banking, make sure you change your password today. Read our reviews of the best and worst banks for online security

Read the email from Sony PlayStation

The pdf below contains the full text of the email sent to PSN and Qriocity users.


Sony PlayStation delayed security breach announcement by a week

A blog post by Patrick Seybold, Sony PlayStation's senior director of corporate communications and social media, admits that there was a difference in timing between when it identified there was an intrusion and when it realised consumers’ data had been compromised: 'We learned there was an intrusion on 19 April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.'

Which? technology editor Matthew Bath says the breach - and Sony PlayStation's handling of it - has left customers in the dark.

'Millions of Sony PlayStation customers are understandably worried that Sony PlayStation kept details of this massive data breach under wraps for so long - and we've heard from consumers who think they are going to have to shred their credit card to protect their accounts,' he says. 'Sony PlayStation needs to come clean with all the details of the breach, be transparent about the data that has been stolen, and help its customers with the next steps they need to secure their private data.'

Unclear whether you'll get a refund

If you've paid for online content, including a subscription to PSN or Qriocity you may want to put in a refund claim for the period when these services were unavailable. Sony PlayStation has acknowledged the potential financial impact on its customers and has pledged to review the options and update customers once the service is restored.

For more details on putting in a claim, read the Which? guide How to complain to companies.

Protect yourself from ID Fraud

For more information on protecting your identity and your financial details, read the Which? guide How to avoid identity fraud, including tips to help you avoid phishing and skimming scams, and advice on how to properly dispose of financial information.

We recommend that you don't buy identity theft insurance either - if you need convincing, here are five reasons why identity theft insurance is rarely worth the money.

You can also visit Which? Conversation to have your say about companies that lose consumers' financial details and about useless ID fraud insurance

The video below provides a guide to what steps you should take to avoid becoming a victim of identity fraud:


Please enable JavaScript to access this content.

Video transcript

Hello, I'm Martin Hocking and I'm here to help you protect yourself and your money against identity fraud. Now, losses from credit and debit card fraud reached £535 million in 2007. That was up 25% from on previous year. These statistics statistics are worrying, but there are some key steps you can take to decrease the chances of becoming a victim of the fraudsters.

You can start by examining your bank and credit card statements. carefully to check for any transactions that you don't recognize. Keep receipts from credit and debit card purchases, to help you do this. Report any fraudulent transactions you spot to your bank or card provider immediately. As fraudsters commit identity theft by stealing personal information about you.

To stop them getting their hands on your details from old documents, shred or rip up old bank statements , utility bills, receipts and anything showing your name and address before throwing it away. If you move house, you should also redirect your mail to your new address using Royal Mail's redirection service, for at least a year afterwards.

When you're picking passwords for financial websites,
avoid using information that could easily be
obtained by fraudsters
such as you mother's maiden name for example. A combination of letters and numbers is the most secure
form of password, but obviously choose something that you can
remember without having to write it down.

Now we are all doing a lot more shopping online these days. Very important to check the beginning of the address of a website is changing from the letters http to https when you're paying for something online and the image of a padlock lock will appear as well, usually at the top of the computer screen.

Check this happens when you're shopping on the internet to make sure your payment details are protected. You should also protect your computer with anti virus software and a firewall to prevent fraudsters accessing your hard drive. It is important to notify your bank or creditor provider as soon as possible, if your cards are stolen or have been lost.

You should also do this if you notice fraudulent or suspicious transactions on your statements. It's worth keeping a note of these relevant telephone numbers in you purse or wallet, it really takes the stress out of that situation. It means they're accessible even if you're away from home. Here's another one.

It sounds simple, but it's very important. Do not allow someone else to use your debit or credit card by giving them your PIN. This could be seen as acting without reasonable care by your bank, should any money be taken from you fraudulently and it couldn't make it that much harder to claim the money back.

For the same reason you should never record your pins or passwords in a way that would make accessible to fraudsters. And obviously never store them with your cards. The banking code says that you're not liable for more than £50 if your card is lost or stolen and then used fraudulently, but this does not apply if your bank can show that you acted without reasonable care.

And they would say writing your PIN down and sticking it in your wallet is not acting with reasonable care. Finally, if someone contacts you by phone or email or claiming to be from your bank or credit card company, don't give out any personal details without first making sure they are who they say they are for example, by phoning them back.

In reality, your bank will never ask you for your pin or password over the phone, they simply don't need that information. ones asking for it, they're almost certainly a fraudster.


pound coins

Which? Money when you need it

You can follow @WhichMoney on Twitter to keep up-to-date with our Best Rates and Recommended Provider product and service reviews.

Sign up for the latest money news, best rates and recommended providers in your newsletter every Friday.

Or for money-saving tips, and news of how what's going on in the world of finance affects you, join Melanie Dowding and James Daley for the Which? Money weekly money podcast

For daily consumer news, subscribe to the Which? news RSS feed here. And to find out how we work for you on money issues, visit our personal finance campaigns pages.