Sony faced fierce criticism on Wednesday following its disclosure that a hacker had stolen the personal data of more than 70m users of its PlayStation Network in one of the worst such online privacy breaches to date.
The Japanese group said it had lost real names, birth dates, e-mail addresses and Sony passwords in what it described as an “intrusion” nearly a week earlier. It had closed down the PlayStation Network and its smaller Qriocity media streaming service, which was also affected, but the delayed revelation drew criticism.
After hiring outside investigators, “it was necessary to conduct several days of forensic analysis and it took our experts until yesterday to understand the scope of the breach”, Sony said late on Tuesday. “We then shared that information with our consumers and announced it publicly.”
The group said it could not rule out the possibility that credit card data had also been stolen, prompting Richard Blumenthal, a US senator, to call on the company to pay for monitoring services to track the use of credit linked to the names of affected customers.
“I am absolutely appalled,” Mr Blumenthal told the Financial Times. “The facts show Sony purposefully deceived people and misled them before it has now finally begun coming clean.”
He also said many customers had yet to be notified. The company had no immediate response to the senator’s claims.
The incident is a serious blow to Sony’s ambitions to compete with Apple’s iTunes service for online music and video. Its response has also drawn comparisons with Toyota, another of Japan’s best-known brands, which was criticised last year for its slow disclosure during a series of safety recalls.
“If you have compromised my credit information, you will never receive it again,” said a post under the pseudonym Korbei83 on the PlayStation Network blog, reflecting anger among users.
Some PlayStation Network gamers who used their Sony passwords on other services said their e-mail accounts had been compromised and used to send spam. Criminals could mine e-mail accounts for financial account numbers and passwords or send mail to the contacts of the customer, increasing the chances that recipients click dangerous links that install malicious software.
The UK Information Commissioner’s Office said it was contacting Sony and noted companies were legally obliged to keep data secure. Sony declined to give details of the attack or say whether the personal information had been encrypted.
Its shares fell nearly 3 per cent in New York.