Sorry Sony admits it held 10m credit cards

Sony has apologised for a security breach of its PlayStation Network and confirmed that it held 10 million credit card numbers that could have been exposed in the attack.  

"First, we'd like to extend our apologies to the many PlayStation Network and Qriocity users who we inconvenienced and worried because we potentially compromised their customer data," said consumer products boss, Kazuo Hirai on Sunday, before he, Sony's CIO, Shinji Hasejima and head of communications, Shiro Kambe, lowered their heads in an extended bow.

At the Sunday press briefing, Hirai announced Sony would appoint its first chief information security officer (CISO), reporting to Hasejima, as one measure to avoid a reoccurence. 

Hasejima said Sony had suffered  a "highly sophisticated attack by a skilled intruder" that had infiltrated Sony's user database through a web application server vulnerability.  

The attacker had made a tool "inside the server" and then gained access rights to the database, he explained. 

A US security researcher had already pointed to a web server vulnerability as the likely hole after claiming to have discovered that Sony was running an outdated version of Apache, according to a Wired report on Friday

With some services set to be phased back online this week, Sony has also offered compensation to lure customers back. Users can expect some PlayStation content for free, 30 days free membership on the PlayStation Plus premium service and 30 days free for Music Unlimited customers on its Qriocity service.

Whilst Sony revealed that 10 million credit card holders could be exposed, Hirai reiterated that Sony was still not entirely certain what happened.  

"As to whether the credit card information was comrpomised, we do not have evidence, but at the same time we cannot rule out the possibility."

He also said that PlayStation Network user passwords were not encrypted but were hashed.

The disclosure came after members of a US House of Representatives subcommittee [pdf] asked why Sony waited until April 26 to disclose the breach. The committee also asked how many of the 77 million PlayStation Network users’ credit card details were held; and why Sony believed credit card information might not have been taken during the attack.

Hirai said Sony was working to "respond in good faith". 

Sony might also face a class-action suit in the State of California, according to the Wall Street Journal.

Other new security measures Sony promised to introduce included “enhanced levels of data protection and encryption”, better intrusion detection and network analysis software, automation tools, additional firewalls, and a move from its current San Diego data centre to a more secure facility. 

Hirai avoided disclosing the expected cost of the incident, but highlighted it would include the cost of replacing credit cards, new security and infrastructure and lost sales.

"There are many factors involved. At this point in time we are not in the position to say one way or another what the impact will be in full."