Protecting yourself

Sony PlayStation data breach: Hackers claim they have 2.2 million credit card numbers

Daniel Ray

The Sony PlayStation story keeps evolving.

In the three days since the company revealed that credit card data could be among the information hacked from its database of 77 million online gamers, there have been three new developments and items of interest:

News organizations that have sniffed around in hacker boards and chatrooms are reporting that lowlifes therein are offering credit card information they say they purloined from the PlayStation database. According to the (UK) Guardian’s technology blog, hackers claim they have 2.2 million Sony customers’ credit card numbers — including their security codes, which make it easy to use cards fraudulently.

If so, that would be Sony’s — and the consumers’ — worst nightmare. The newspaper stresses that these are unconfirmed reports, but adds that some PlayStation customers are reporting that they’ve seen unauthorized charges on their cards. The technical publication Ars Technica surveyed its PlayStation-using readers, and several reported unauthorized charges for items, including a $600 German airline ticket.

The FBI told the BBC that it is now investigating the incident, and U.S. Sen Richard Blumenthal of Connecticut fired off a letter to Sony CEO Jack Tretton asking for explanations and for two years’ worth of free credit monitoring services for victims.

If the worst occurs, it won’t be fun and games for the card issuers, either. Reuters reports that industry analysts peg the cost of replacing a credit card at $3 to $5, putting the total cost of replacing all cards at more than $300 million.

For its part, Sony insists its database of credit card numbers was encrypted. “The entire credit card table was encrypted and we have no evidence that credit card data was taken,” the company says. It also said it’s sorry for the incident and is working to restore service and make good for the lengthy outage, which began April 19.

“We apologize for any inconvenience players may have experienced as a result of the recent service interruption,” the Sony Online Entertainment division said in a Q&A posted online. “As a global leader in online gaming, SOE is committed to delivering stable and entertaining games for players of all ages. To thank players for their patience, we will be hosting special events across our game portfolio. We are also working on a ‘make good’ plan for players of the PS3 versions of DC Universe Online and Free Realms. Details will be available soon on the individual game websites and forums.”

It also said on Wednesday that thieves, even if they had taken credit card numbers, couldn’t possibly have cards’ security codes. “Keep in mind, however, that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.”

Oops. They clawed back that statement a bit later, saying, “While we do ask for [security] codes, we do not store them in our database.”

If you’re a PlayStation online gamer, here are the steps you need to take to protect your real-world finances. And if you’re a Sony PlayStation online user who has seen suspicious charges on the card you used to sign up for the service, please share your story in the comments section below.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.