The hacking attack at Sony is even worse than first reported, the company announced today. Sony’s researchers discovered that a second database was breached by hackers, bringing the total number of people exposed to greater risk of identity theft to over 100 million.
The new breach occurred at Sony Online Entertainment, a subsidiary based in San Diego that creates online computer games. Hackers gained access to 24.6 million customer accounts, Sony said in a press release, including consumers’ names, addresses, emails, birthdates, phone numbers and login information.
In addition, 23,400 of those affected had their credit and debit card numbers stolen. None of the exposed credit and debit customers live in the U.S., the company said in a press release.
“The company is working with the FBI and continuing its own full investigation while working to restore all services,” Sony said in the release.
The original data breach, reported in late April, exposed 77 million people to identity theft. The first breach affected consumers who had signed up for Sony’s Playstation and Qriocity online networks to receive video games, music and streaming videos.
[Related article: 77 Million People Affected by Playstation Hack]
At the beginning of a press conference on Sunday to discuss the original breach, three top leaders of Sony gave long bows, a traditional Japanese expression of apology. The executives acknowledged that Sony’s leaders had known the company’s computer systems were vulnerable to attack.
“The fact that there was inherent risk associated with those services was known, not just by Sony but everyone involved,” Shiro Kambe, Sony’s spokesman, said during the press conference.
So far, Sony stopped well short of offering any kind of credit or identity theft protection to consumers whose names, credit card numbers, addresses, birthdays and billing histories may have been stolen. Instead, the company’s leaders announced Sony will compensate users by offering selected video games to all users at no cost, and extending a month’s worth of free service to premium customers.
The company’s leaders also declined to give any firm dates for when full service on the Playstation and Qriocity networks will be reinstated. They indicated it may be a month before both systems are up and running.
The hackers had to infiltrate three separate firewalls to gain access to customers’ information, meaning that the attack was highly sophisticated, Kambe said. Nevertheless, Sony knew its systems were not foolproof even before they were hacked.
“The vulnerability was a known vulnerability,” corporate information officer Shinji Hasejima said during the press conference.
The hackers had access to the database from April 17 to 19. Sony discovered the breach days later and shut down the networks, as we covered here.
[Free Tool: Obtain your Identity Risk Score from Credit.com]
Image: Fey Ilyas, via Flickr.com