The company posted an update on its blog warning its more than 70 million customers that their personal information, including customer names, addresses, email addresses, birthdays, PlayStation Network and Qriocity passwords and user names, as well as online user handles, was obtained illegally by an "unauthorised person." The data was accessed between April 17 and April 19, according to Sony.
With respect to credit card information, which many users have given to Sony in order to purchase or rent content via the service, Sony is less sure of what transpired.
"While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," a company spokesman wrote. "If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
And as a result, Sony has temporarily turned off PlayStation Network and Qriocity, its subscription music service, contracted with an outside security firm to investigate the intrusion on its network, and started to rebuild its system and security. Sony would not say whether the company had contacted the FBI or any law enforcement about the breach.
It took Sony five days to level with its customers about the consequences of what knocked its service offline. Midway through last week users noticed error messages when trying to sign into the service. While the company initially acknowledged the service was inaccessible on Friday, it offered no explanation of why and said PSN would be back up and running in a "day or two."
On Sunday Sony acknowledged an "external intrusion" on its network and said it was in the process of rebuilding PSN. It never hinted that personal data was compromised, and it's unclear what took Sony so long to come clean.
The company says it is currently in the process of emailing all of its customers about the intrusion.
What should you do?
Finding out whether credit card account information had been exposed is key to assessing the risks for Sony customers. With that information fraudsters can take over bank and credit card accounts and make purchases.
Without that financial information individuals run the risk of having their Sony PSN accounts hijacked and being targeted with phishing attacks. For instance, customers should be wary of emails that purport to come from Sony and which ask for credit card or other sensitive information, said Beth Givens, founder and director of the Privacy Rights Clearinghouse.
People whose information was exposed in the breach should change their Sony account passwords and password security questions and ignore emails asking for sensitive information from anybody, Givens said. In addition, she suggested people affected by the breach monitor for fraudulent activity on their credit card that Sony had on file, just in case the accounts were exposed.