Sony Corp. said it would consider reimbursing financial institutions for the costs associated with reissuing credit cards that might have been compromised in last month's breach of its PlayStation Network.
Kazuo Hirai, the president and chief executive of the Sony Computer Entertainment Inc. division, said during a May 1 press conference that about 10 million PlayStation Network account owners were notified that their credit card information was compromised. The online gaming network has about 77 million users.
There were no confirmed reports that fraud was committed with data stolen during the breach, Hirai said, but Sony has asked its customers to monitor their accounts for unauthorized transactions. Sony has asked the FBI to conduct a criminal investigation into the breach.
Several PlayStation Network users, including a reporter from American Banker, have reported recent incidents of fraud or attempted fraud on the cards they used with Sony's service, though neither Sony nor any card issuers confirmed the fraud stemmed from the breach.
Sometime between April 17 and April 19, an unauthorized party accessed the PlayStation Network, which enables its users to play video games together and purchase music, movies and television shows. The breach also affected Qriocity, Sony's streaming music and video service.
Sony apparently discovered more problems because it has shut down its multiplayer online games for PCs, the company announced May 2.
"In the course of our investigation into the intrusion into our systems we have discovered an issue that warrants enough concern for us to take the service down effective immediately," Sony said in a blog post Monday.
Sony has faced criticism about why it took several days to notify PlayStation Network users about the breach.
Sony shut down the network to prevent further damage and then hired three security firms to investigate the attack, Hirai said at the press conference. Sony did not realize the scope of the attack until April 26, when it discovered that someone had obtained personal information such as names, home addresses, country locations, email addresses, birth dates and users' login credentials for the service, Hirai said. Credit card data was kept encrypted and separate from these other details.
Shutting down the network took more time than expected, Hirai added.
Despite any perceived delays to action, at least one analyst said Sony is being proactive in its actions since the breach.
"Sony should be commended for getting ahead of a potential onslaught of lawsuits from affected consumers and financial institutions," Philip Philliou, a partner with the consulting firm Philliou Partners LLC, said in an interview.
Assuming banks' card-reissuing costs will be expensive for Sony; however, getting ahead of the lawsuits "is not only potentially less costly, but it goes a long way to protecting the integrity of the Sony brand," he said.
At least one consumer already has filed a lawsuit in Alabama. The suit accuses Sony of "negligence in data security" and of not taking "reasonable care to protect, encrypt and secure the private and sensitive data of its users."
Sony plans to compensate PlayStation Network users with free content and a 30-day subscription to its PlayStation Plus online service, which provides free games and other perks for the duration of the subscription.
Sony plans to restart the service incrementally this week. The company hopes the network will be fully restored within the next month, Hirai said.
