Oops, they did it again, or at least did a whole lot more than Sony thought until yesterday, shortly before Japan news site Nikkei claimed a second data breach at Sony HQ involved the theft of nearly 13,000 credit card numbers. Hide your wallets, folks.
I knew something was up when Sony Online Entertainment (EverQuest, DC Universe Online) shuttered yesterday morning, but Sony wouldn’t tell us why. At that point, Sony said it had “discovered an issue that warrants enough concern for us to take the service down effective immediately.” Hackers? Gremlins? Aliens? Take your pick.
(More on TIME.com: Sony PlayStation President Apologizes for PSN Outage, Promises Service Back This Week)
Late yesterday afternoon, Nikkei reported the “issue” was in fact Sony coming to terms with mass infiltration number two, and that this time, the perpetrators made off with a lot more than names and birth dates.
Sony confirmed the breach in an official statement last night (timed like the rest, no doubt, to mitigate press coverage). In it, the company admitted the perps who broke into Sony’s PlayStation Network and Qriocity servers between April 17th and 19th also managed to infiltrate Sony Online Entertainment.
But where the data lifted from PSN/Qriocity was mostly personal (name, address, birth date), the info lifted from SOE included around 12,700 non-US credit cards and an additional 10,700 “direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain.”
Ouch. Sony still believes its main credit card database was untouched, and calls the one containing those 12,700 credit card numbers “an outdated database from 2007,” but that begs the questions: what were they doing storing “outdated” information in the first place? That, and credit card expiration periods can run out to five years, so it’s possible anywhere from none, to some, to all of the cards in the list are still active.
(More on TIME.com: Did Sony Fib? PSN ‘Hackers’ Claim Over 2 Million Credit Cards Stolen)
When did Sony know? The company says it “previously believed that SOE customer data had not been obtained in the cyber-attacks on the company,” but noted that Sunday, May 1st, it determined SOE account info was stolen. The delay of a day to announce probably involved running the particulars up the corporate ladder and crafting the press statement.
In the meantime, Sony says it has
1) Temporarily turned off all SOE game services;
2) Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3) Quickly taken steps to enhance security and strengthen our network infrastructure to provide you with greater protection of your personal information.
More of the same, then–services off, investigation ongoing, vague promises about security refinements, and though we’ve yet to hear about any actual breach-related identity theft or fraud, a tragedy of titanic proportions (see what I did there?) for the company’s already badly damaged customer reputation.