Sony Corp. said it is beefing up security on the PlayStation Network in the wake of a hacking attack that resulted in the theft of millions of users' credit card details.
At a press conference Sunday afternoon in Japan, Sony Corp.'s Executive Deputy President Kazuo Hirai outlined some of the steps the company will take to protect users' data. Hirai was flanked by two other executives, Chief Information Officer Shinji Hasejima and Senior Vice President of Corporate Communications Shiro Kambe.
One is hiring a chief information security officer to help prepare future defenses against hacking attacks. The company will also set up a new data center in San Diego, with more advanced security. Hirai said the new center would have better detection systems in place, as well as enhanced data encryption.
An additional sign-on feature will also be added, but Hirai was not specific about what that might be.
Hirai was not specific about whether users might be compensated for any losses to their credit cards. About 10 million credit cards were registered, representing 77 million users. Sony said there is as yet no evidence of credit card fraud, though several news outlets reported that hacker groups were offering them for sale. Sony Network Entertainment, the U.S. subsidiary of Sony, is working with the Federal Bureau of Investigation to find out more and possibly prosecute the hackers.
The executives were not clear what vulnerability the hack exploited, whether it was a known problem or a newly discovered one. They would not discuss details.
Asked why it took so long to hold a press conference like this, the company said it shut down the network soon after it found out about the attack and warned customers about it via email.
Sony reiterated that the credit card information was encrypted, although the password and login data were not. The passwords, the executives said, were hashed, which means the site stores them in a coded form that is not quite the same process. A hacker who got the passwords would see only the hashed versions, though they might be able to re-derive them. With the passwords, the credit card information would be vulnerable. In addition there are reports that the credit card data has appeared on various hacker forums.
While Sony isn't offering direct compensation to users - at least not yet - the company said it would offer a 30-day subscription to PlayStation Plus while Qriocity customers will get an extra 30 days of service for free.
At the end of the press conference Hirai, Hasejima and Kambe bowed deeply, and reiterated their apologies.
Sony's PlayStation Network was compromised on April 19. The company soon took the network down entirely, in part to defend itself against the hacking attack. Sony did not admit until a week later that names, passwords, and credit card information was taken from the PlayStation Network's user database.
Already the company is the subject of a lawsuit for negligence in the way it handled customer data. And there is some speculation that the incident could prompt changes in the regulations that govern how such data is stored and handled.
Additional questions have come from members of Congress and several attorneys general. Senator Richard Blumenthal of Connecticut wrote to Sony this week, asking why the company took several days to notify users that their data might have been stolen. He also called for Sony to provide PlayStation Network users with financial data security services.