As Sony works to restore its PlayStation Network (PSN) and Qriocity services – which likely will remain offline until at least the end of the month following two massive data breaches – the company has sustained a third exposure, this time involving the personal information of thousands of sweepstakes contestants.
Sony said it has removed from the internet the names and partial addresses of 2,500 contestants who entered a product sweepstakes in 2001, according to Reuters, which first reported the news. The data did not include credit card, Social Security numbers or passwords.
The latest incident follows two breaches that exposed the personal information of more than 100 million Sony customers.
Mikko Hypponen, chief research officer at anti-virus firm F-Secure, told SCMagazineUS.com in an email Monday that independent Japanese security researchers discovered the sweepstakes information while probing public Sony servers after learning of the previous data leaks.
“What they found was an old sweepstakes server,” Hypponen said. “This server had some of its scripts readable by anyone, and it was easy to deduct where the customer information was saved.”
Hypponen added that the sweepstakes information was not stolen and posted online by hackers, as was stated in a Reuters report. Instead, the information was mistakenly posted by Sony employees to one of the company's own public servers. The file has since been removed, he said.
A Sony spokesperson did not immediately respond Monday when contacted by SCMagazineUS.com.
The third leak was not nearly as serious as the first two breaches. Those incidents involved the personal information of up to 77 million PSN and Qriocity services users and approximately 25 million Sony Online Entertainment users.
Sony's PSN and Qriocity Services remain down after being taken offline on April 20 due to the breach. After initially promising to make the services operational this week, Sony has pushed back the expected restoration date until the end of the month, according to a Bloomberg report, citing Shigenori Yoshida, a Tokyo-based Sony spokesman.
The company is still working to secure its network infrastructure, hence the delay, Nick Caplin, head of communications at Sony Computer Entertainment Europe, wrote in a blog post Saturday.
“We were unaware of the extent of the attack on Sony Online Entertainment servers, and we are taking this opportunity to conduct further testing of the incredibly complex system,” Caplin wrote.
In the post, Caplin said “comprehensive system checks and testing” are still necessary before the systems can be brought back.
Sony, meanwhile, has defended its post-breach response, in a letter to Sen. Richard Blumenthal, D-Conn., who criticized the company for waiting several days to notify victims.
In the letter, Kazuo Kirai, Sony Computer Entertainment's president and CEO, said that the company had to wade through a complex network of 130 servers, 50 software programs and millions of registered users before being able reveal accurate information about the breach.
“Many state statutes essentially require disclosure without unreasonable delay once an investigation has been done,” Kirai wrote. “That is precisely the course we followed.”
He explained that the notification process was slowed because Sony did not send “batch” emails to victims. Instead, letters were individually tailored to customers.
Sony has announced that as a result of the breaches, it plans to deploy software monitoring and configuration management tools, increase encryption and intrusion detection capabilities and add new firewalls. In addition, the company plans to hire its first-ever chief information security officer.
“For a company of this size, it is hard to protect every single part of their operation,” F-Secure's Hypponen said. “However, you would expect better security for one of their crown jewels, their main gaming network.”