Updated: Tuesday, 8:15 a.m. PST
Another day. Another massive security breach at Sony.
Sony has announced that, in addition to the PlayStation Network breach, hackers have entered the company’s Sony Online Entertainment servers. Intruders not only gained access to personal data from almost 25 million customer accounts — among them players of the long-running online PC game "EverQuest" — but have also likely stolen more than 23,000 credit card numbers and bank account numbers.
And now some are calling for Sony CEO Howard Stringer to step down because of his company's bungled handling of the secruity breaches.
"We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack," read the notification posted to the Sony Online Entertainment website Monday afternoon.
Sony says the stolen information includes names, addresses, e-mail addresses, birthdates, gender, phone numbers, login names and hashed passwords.
Sony has said some 24.6 million user accounts were involved in this SOE breach. This news comes on the heels of Sony announcing last week that hackers had breached the PlayStation Network and accessed personal information from some 77 million accounts housed there.
SOE is a separate service from the PlayStation Network and hosts online PC and PlayStation 3 games like the new "DC Universe Online," the long-running online role-playing game "EverQuest" and the popular game "Free Realms."
But for some overseas Sony customers, Monday’s SOE news was even more grim than the PlayStation Network news has been. Sony has said repeatedly they do not believe that credit card numbers were taken in the PSN breach (though they admit they can't know for sure).
To be clear, Sony Online Entertainment says there is no evidence that their main credit card database was compromised. However, Sony admitted that some credit card numbers and bank account numbers from European customers held on an oudated database may have been obtained in this newly discovered SOE breach.
Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained. We will be notifying each of those customers promptly.
From bad to worse
On Monday morning Sony announced that it had shut down its Sony Online Entertainment servers to investigate "an issue" that warranted concern.
Though the Sony Online Entertainment service had experienced a short "service interruption" during last week's PlayStation Network brouhaha, SOE had said the Sony Online systems and databases are separate from the PlayStation Network and they believed these servers had been spared in the breach.
But that news changed Monday afternoon with Sony admitting:
We had previously believed that SOE customer data had not been obtained in the cyber-attacks on the company, but on May 1st we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.
Sony says it has now turned off all SOE game services, including its Facebook games, and engaged an outside security firm to conduct a full investigation and is in the midst of strengthening its network infrastructure.
The company has also said it will give players 30 days of free time on their subscriptions as well as one day for each day the system is down. It is also creating a "make good" plan for its multiplayer online games.
Over the weekend, Sony officials issued a formal apology for the PlayStation Network breach, with top officials offering a long formal bow of apology to their customers, as is the Japanese tradition. The company has said it will resume some PlayStation Network services this week but there is no word yet on when the Sony Online Entertainment services will go back online.
Trouble for top brass
Meanwhile, some investors are saying that Sony and 69-year-old chief executive Stringer have severely botched the data security crisis, which comes as a significant blow for a company already struggling to match recent hit products from rivals including Nintendo, Samsung Electronics and Apple.
"The way Sony handled the whole thing goes to show that it lacks the ability to manage crises," Michael On, a fund manager at Beyond Asset Management in Taipei, who does not own Sony shares, told Reuters. "The current CEO should step down after the hacker problems and the company's failure to push out products that are competitive."
Welsh-born Stringer, a former TV producer who was knighted in 2000, has not commented on the security breach, leaving Kazuo Hirai to lead a news conference and apology on Sunday. Stringer in March committed to stay in his role at Sony for the current year at least. Hirai, the likely successor to Stringer, had spearheaded the development of Sony's networked businesses until March, when he was promoted to the number 2 position as executive deputy president.
But another fund manager who sold Sony shares last year and was not authorised to talk publicly about the company told Reuters that Hirai may not escape the fiasco unscathed either.
"The leadership of Sony is not in a good place right now, which could lead to Stringer stepping down and may sabotage Hirai's chances of succeeding as the CEO," said the Taipei-based fund manager.
(Reuters contributed to this report.)
For more on this topic, check out:
- Sony sued, could bleed billions following PlayStation Network hack
- Games to play while PlayStation's network is down
- How will Sony make amends to gamers?
- Former PlayStation hacker blames Sony arrogance for breach
Winda Benedetti writes about games for msnbc.com. You can follow her tweets about games and other things right here on Twitter.