Sony PlayStation has admitted a huge breach in its video game online network. The name, address, date of birth and potentially the credit card details of up to 77 million users have been stolen in what is believed to be one of the biggest-ever online data breaches.
Sony PlayStation has come in for fierce criticism for the 7-day delay in announcing the breach, leaving customers at risk of identity fraud.
The company learned a week ago that PlayStation Network (PSN) and Qriocity user details had been stolen. While it did shut down the network immediately, it did not announce the breach until yesterday.
Where possible, Sony PlayStation has contacted customers it believes are affected by an email detailed further down this page.
- UPDATE: Financial Fraud Action UK, the card industry’s anti-fraud umbrella group, has stated that of the Sony PlayStation accounts compromised worldwide in the Sony PlayStation Network incident, 3 million are based in the UK.
What personal information has been compromised in the Sony PlayStation data breach?
Sony PlayStation believes that the following information provided by PlayStation Network (PSN) and Qriocity account holders may have been stolen:
- Name, address, email address and date of birth
- PlayStation Network/Qriocity password, login and handle/PSN online ID
- Purchase history and billing address
- If an account holder has authorised a sub-account for a dependent, the same data with respect to that dependent may have been stolen
- If an account holder provided credit card data through PlayStation Network or Qriocity, it is possible that the credit card number (excluding security code) and expiration date may have been obtained
Take action if you think your details have been stolen
If you’re a Sony PlayStation or Qriocity customer and think your details may have been stolen, there are steps you can take to protect yourself:
- Check your bank account and credit card statements carefully. If you notice any unusual or unauthorised transactions, contact your bank immediately
- Check your credit file. By ordering your £2 statutory credit reports from Experian, Equifax and Callcredit, you’ll be able to spot if anyone has applied for credit in your name
- Watch out for spam emails. Security breaches such as the Sony PlayStation one are likely to lead fraudsters to attempt to cash in on consumer panic. If you receive an email from Sony PlayStation asking for your PSN or Qriocity sign-in ID and password, do not reply. Sony PlayStation has confirmed that it will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information
- Change your online passwords. Too many of us use the same online passwords for everything. If you use your PSN or Qriocity passwords for any other online activities, especially online banking, make sure you change your password today. Read our reviews of the best and worst banks for online security
Read the email from Sony PlayStation
The pdf below contains the full text of the email sent to PSN and Qriocity users.
Email from PlayStation to PSN registrants (PDF: 22Kb)
Sony PlayStation delayed security breach announcement by a week
A blog post by Patrick Seybold, Sony PlayStation’s senior director of corporate communications and social media, admits that there was a difference in timing between when it identified there was an intrusion and when it realised consumers’ data had been compromised: ‘We learned there was an intrusion on 19 April and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident.’
Which? technology editor Matthew Bath says the breach – and Sony PlayStation’s handling of it – has left customers in the dark.
‘Millions of Sony PlayStation customers are understandably worried that Sony PlayStation kept details of this massive data breach under wraps for so long – and we’ve heard from consumers who think they are going to have to shred their credit card to protect their accounts,’ he says. ‘Sony PlayStation needs to come clean with all the details of the breach, be transparent about the data that has been stolen, and help its customers with the next steps they need to secure their private data.’
Unclear whether you’ll get a refund
If you’ve paid for online content, including a subscription to PSN or Qriocity you may want to put in a refund claim for the period when these services were unavailable. Sony PlayStation has acknowledged the potential financial impact on its customers and has pledged to review the options and update customers once the service is restored.
For more details on putting in a claim, read the Which? guide How to complain to companies.
Protect yourself from ID Fraud
For more information on protecting your identity and your financial details, read the Which? guide How to avoid identity fraud, including tips to help you avoid phishing and skimming scams, and advice on how to properly dispose of financial information.
We recommend that you don’t buy identity theft insurance either – if you need convincing, here are five reasons why identity theft insurance is rarely worth the money.
The video below provides a guide to what steps you should take to avoid becoming a victim of identity fraud:
Which? Money when you need it
You can follow @WhichMoney on Twitter to keep up-to-date with our Best Rates and Recommended Provider product and service reviews.
Sign up for the latest money news, best rates and recommended providers in your newsletter every Friday.
Or for money-saving tips, and news of how what’s going on in the world of finance affects you, join Melanie Dowding and James Daley for the Which? Money weekly money podcast
For daily consumer news, subscribe to the Which? news RSS feed here. And to find out how we work for you on money issues, visit our personal finance campaigns pages.