Re: Sony Online Entertainment (SOE) breach letter

["George Toft" <george () georgetoft com>]

I got one just like it, but all the links went to innovyx.net.  It looked 
like a classic phishing email.  Two odd things about it: 1. Innovyx is a 
legitimate email company (I had to research them); and 2. I have never owned 
a playstation or any other Sony product so why am I getting the email?

I think they could have handled this much better.

George


----- Original Message ----- 
From: "security curmudgeon" <jericho () attrition org>
To: <dataloss-discuss () datalossdb org>; <dataloss () datalossdb org>
Sent: Tuesday, May 03, 2011 12:10 AM
Subject: [Dataloss] Sony Online Entertainment (SOE) breach letter


> ---------- Forwarded message ----------
> From: Sony Online Entertainment 
> <Sony_Online_Entertainment () soe innovyx net>
> To:
> Date: Tue, 3 May 2011 02:07:01 -0500
> Reply-To:
> Subject: Important Customer Notification
>
> Visit the link below to view this email as a Web page:
> (link)
>
> Sony Online Entertainment
>
> Customer Service Notification
>
> May 2, 2011
>
> Dear Valued Sony Online Entertainment Customer:
>
> Our ongoing investigation of illegal intrusions into Sony Online
> Entertainment systems has discovered that hackers may have obtained
> personal customer information from SOE systems. We are today advising you
> that the personal information you provided us in connection with your SOE
> account may have been stolen in a cyber-attack. Stolen information
> includes, to the extent you provided it to us, the following: name,
> address (city, state, zip, country), email address, gender, birthdate,
> phone number, login name and hashed password.
>
> Customers outside the United States should be advised that we further
> discovered evidence that information from an outdated database from 2007
> containing approximately 12,700 non-US customer credit or debit card
> numbers and expiration dates (but not credit card security codes) and
> about 10,700 direct debit records listing bank account numbers of certain
> customers in Germany, Austria, Netherlands and Spain may have also been
> obtained -- we will be notifying each of those customers promptly.
>
> There is no evidence that our main credit card database was compromised.
> It is in a completely separate and secured environment.
>
> We had previously believed that SOE customer data had not been obtained in
> the cyber-attacks on the company, but on May 1st we concluded that SOE
> account information may have been stolen and we are notifying you as soon
> as possible.
>
> We apologize for the inconvenience caused by the attack and as a result,
> we have:
>
> 1. Temporarily turned off all SOE game services;
> 2. Engaged an outside, recognized security firm to conduct a
> full and complete investigation into what happened; and
> 3. Quickly taken steps to enhance security and strengthen our
> network infrastructure to provide you with greater protection
> of your personal information.
>
> We greatly appreciate your patience, understanding and goodwill as we do
> whatever it takes to resolve these issues as quickly and efficiently as
> practicable.
>
> For your security, we encourage you to be especially aware of email,
> telephone, and postal mail scams that ask for personal or sensitive
> information. Sony will not contact you in any way, including by email,
> asking for your credit card number, social security number or other
> personally identifiable information. If you are asked for this
> information, you can be confident Sony is not the entity asking. When
> SOE's services are fully restored, we strongly recommend that you log on
> and change your password. Additionally, if you use your Station or SOE
> game account name or password for other unrelated services or accounts, we
> strongly recommend that you change them, as well.
>
> To protect against possible identity theft or other financial loss, we
> encourage you to remain vigilant, to review your account statements and to
> monitor your credit reports. We are providing the following information
> for those who wish to consider it:
>
> - U.S. residents are entitled under U.S. law to one free credit report
> annually from each of the three major credit bureaus. To order your free
> credit report, visit https://www.annualcreditreport.com/cra/index.jsp or
> call toll-free (877) 322-8228.
>
> - We have also provided names and contact information for the three major
> U.S. credit bureaus below. At no charge, U.S. residents can have these
> credit bureaus place a "fraud alert" on your file that alerts creditors to
> take additional steps to verify your identity prior to granting credit in
> your name. This service can make it more difficult for someone to get
> credit in your name. Note, however, that because it tells creditors to
> follow certain procedures to protect you, it also may delay your ability
> to obtain credit while the agency verifies your identity. As soon as one
> credit bureau confirms your fraud alert, the others are notified to place
> fraud alerts on your file. Should you wish to place a fraud alert, or
> should you have any questions regarding your credit report, please contact
> any one of the agencies listed below.
>
> Experian: 888-397-3742
> http://www.experian.com/
> P.O. Box 9532, Allen, TX 75013
>
> Equifax: 800-525-6285
> http://www.equifax.com/home/en_us
> P.O. Box 740241, Atlanta, GA 30374-0241
>
> TransUnion: 800-680-7289
> http://www.transunion.com/
> Fraud Victim Assistance Division
> P.O. Box 6790, Fullerton, CA 92834-6790
>
> - You may wish to visit the web site of the U.S. Federal Trade Commission
> at http://www.consumer.gov/idtheft or reach the FTC at (877) 382-4357 or
> 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information
> about how to protect yourself from identity theft. Your state Attorney
> General may also have advice on preventing identity theft, and you should
> report instances of known or suspected identity theft to law enforcement,
> your State Attorney General, and the FTC. For North Carolina residents,
> the Attorney General can be contacted at 9001 Mail Service Center,
> Raleigh, NC 27699-9001; telephone (877) 566-7226; or http://www.ncdoj.gov/
> For Maryland residents, the Attorney General can be contacted at 200 St.
> Paul Place, 16th Floor, Baltimore, MD 21202; telephone: (888) 743-0023; or
> http://www.oag.state.md.us/
>
> We are committed to helping our customers protect their personal data and
> we will provide a complimentary offering to assist users in enrolling in
> identity theft protection services and/or similar programs. The
> implementation will be at a local level and further details will be made
> available shortly in regions in which such programs are commonly utilized.
>
> We thank you for your patience as we complete our investigation of this
> incident, and we regret any inconvenience. Our teams are working around
> the clock on this, and services will be restored as soon as possible. Sony
> takes information protection very seriously and will continue to work to
> ensure that additional measures are taken to protect personally
> identifiable information. Providing quality and secure entertainment
> services to our customers is our utmost priority. Please contact us at
> (866) 436-6698 should you have any additional questions.
>
> Sincerely,
> Sony Online Entertainment LLC
>
> THIS IS A CUSTOMER SERVICE NOTIFICATION.
>
> SOE Privacy Policy
> http://www.soe.com/sonyonline/privacy.vm
>
> SOE Terms of Service
> http://www.soe.com/termsofservice.vm
>
> http://www.soe.com/
>
> Sony Online Entertainment LLC
> 8928 Terman Court - San Diego, CA 92121
>
> _______________________________________________
> Dataloss Mailing List (dataloss () datalossdb org)
> Archived at http://seclists.org/dataloss/
> Unsubscribe at http://datalossdb.org/mailing_list
>
> Learn encryption strategies that manage risk and shore up compliance.
> Download Article 1 of CREDANT Technologies' The Essentials Series:
> Endpoint Data Encryption That Actually Works
> http://credant.com/campaigns/realtime2/gap-LP1/
>
>
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 10.0.1209 / Virus Database: 1500/3611 - Release Date: 05/02/11

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/