September 23, 2021

Data for 1.3 Million Customers Stolen in Latest Game Maker Attack

TOKYO — The Japanese video game developer Sega said Sunday that information belonging to 1.3 million customers had been stolen from its database, the latest global hacker attack against a video game company.

Names, birth dates, e-mail addresses and encrypted passwords of Sega Pass online network members had been compromised, Sega said in a statement, though payment data like credit card numbers were safe. Sega Pass has been shut down since late last week.

“We are deeply sorry for causing trouble to our customers. We want to work on strengthening security,” said Yoko Nagasawa, a Sega spokeswoman, adding that it was unclear when the company would restart Sega Pass.

The attack against Sega, a division of Sega Sammy Holdings that makes game software like Sonic the Hedgehog as well as slot machines, follows other recent significant breaches. Targets have included Citigroup, which said more than 360,000 accounts were hit in May, and the International Monetary Fund.

The drama surrounding the recent round of video game breaches paled in comparison with what Sony, the maker of the PlayStation, experienced after two high-profile attacks that surfaced in April.

Those breaches led to the theft of account data for more than 100 million customers, making it the largest ever hacking of data outside the financial services industry.

They also exposed what turned out to be a large number of security holes in sites throughout the global Sony media empire.

That led to attacks on Sony systems that undermined confidence in the company and made it the source of frequent jokes by security experts.

Sega Europe, a division of Sega that runs the Sega Pass network, immediately notified Sega and the network customers after it found out about the breach Thursday, Ms. Nagasawa said.

Sega was one of the biggest video game consoles makers in the 1990s but pulled out of the market in 2001 in response to disappointing sales of its Dreamcast system, which began sales in 1998 to widespread industry praise. Dreamcast lost ground to newer products developed by Sony and Nintendo.

It now focuses on developing video games for systems made by other companies.

While the F.B.I. is likely to be called in to investigate the attack on Sega, as the U.S. government agency typically is in such cases, its agents may find themselves competing for clues with members of the Lulz Security hacking group.

Lulz, a group of hackers that has been behind the cyber attacks against other video game companies including Nintendo, unexpectedly offered to track down and punish the hackers who broke into Sega’s database.

In its offer to assist Sega, a Twitter post from Lulz hinted that its leaders might count themselves among a small but highly loyal group of game players who still play on the aging Dreamcast console.

“Sega — contact us,” Lulz said. “We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down.”

Article source:

DealBook: Citigroup Says Credit Card Customers’ Data Was Hacked

CitibankRobert Galbraith/Reuters

12:49 p.m. | Updated Citigroup acknowledged on Thursday that unidentified hackers had breached its security and gained access to the data of hundreds of thousands of its credit card customers in North America.

“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” the bank said in an e-mailed statement. “We are contacting customers whose information was impacted.”

The bank said about 1 percent of its North American credit card holders had been affected, putting the total count of customers exposed in the hundreds of thousands, based on its annual report for 2010, which said it had about 21 million credit card customers in North America.

While information concerning customers’ names, credit card numbers, addresses and e-mail addresses was exposed, the bank said that data like the “Social Security number, date of birth, card expiration date and card security code were not compromised.”

Citi is notifying cardholders who have been affected via mail, as well as via their online accounts. Most customers will also received a replacement card, the company said.

“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the bank said. “For the security of these customers, we are not disclosing further details.”

While no group has claimed responsibility for the breach, it is part of a spate of recent cyberattacks.

Sony has reported a series of assaults on its PlayStation network and several Sony Web sites — one hacker site says there have been 18 so far — after the company sued, and then settled with, a programmer who had cracked the PlayStation code. Other attacks have hit PBS, Fox and an F.B.I. affiliate known as Infragard. And most worrying of all, perhaps, they compromised the security system of RSA, maker of the popular SecurID.

But none of those breaches appears to pose as direct a threat to consumers as the one reported by Citi. A spokesman for the bank said that only credit card customers had been affected, not debit card holders, and that law enforcement had been alerted.

The Financial Times earlier reported the breach.

Two people associated with the hacker collective Anonymous said they did not believe the group was involved.

“Anonymous kind of moved off the banks,” one said, adding that it was “because they were bored.”

Anonymous has become known for prominent denial-of-service attacks that disable and deface the Web sites of companies the hackers dislike; for example, the group disrupted service at Visa and MasterCard after they stopped allowing donations to WikiLeaks.

“For-profit attacks are always foreign,” one of the people said. “I’ve never heard of an American group doing that. You can deface a Web site, but once you start stealing money … we understand the FBI. They can kick your door down for downloading torrents.”

Citigroup was reported to have been breached by hackers tied to a Russian group in 2009, and before that in 1995.

One of the members of Anonymous questioned Citigroup’s security as the bank described it on its Citi Card site, saying the 128-bit encryption the bank boasts of is “really not that big a deal.”

“Two-hundred-and-fifty-six bit would take someone a lifetime to decrypt,” the person said. “The security is so weak right now, if you know a couple attacks, you can just go around and see what works.”

Article source:

Nintendo Is Hit by Hackers, but Breach Is Deemed Minor

TOKYO — Nintendo, the manufacturer of the Wii and 3DS game systems, said Sunday that it had been the target of a recent hacker attack, the latest in a flurry of intrusions into corporate Web sites.

Nintendo, which is based in Kyoto, said in a statement that a server at an affiliate of its United States unit was accessed unlawfully “a few weeks ago.” That server contained no consumer information and no data had been lost, the company said.

The attack on Nintendo appears to be significantly less serious than the security breach of Sony’s PlayStation Network, which forced it offline in late April for more than a month. Hackers in that case took personal data from tens of millions of user accounts, including credit card numbers.

Nevertheless, the continuing intrusions underscore the vulnerability of online services at a time companies have raced to expand their Internet offerings.

A hacker group called LulzSec, which has said it was behind several data breaches at Sony, also appeared to claim responsibility for the attack at Nintendo.

In a post on Twitter on Saturday, the group suggested that Nintendo might be spared some of the harsher intrusions it said it had directed at Sony.

“We’re not targeting Nintendo. We like the N64 too much — we sincerely hope Nintendo plugs the gap,” the group said on its Twitter account, referring to the company’s Nintendo 64 game machine, released in the mid-1990s.

LulzSec on Thursday claimed responsibility for breaking into the Sony Pictures Entertainment site and stealing personal information of about 52,000 customers. The group also claimed to have broken into a database for Sony Music’s Japanese site on May 23.

It is a consequential time for Nintendo, as it introduces its e-Shop service for the 3DS, its flagship device that lets users play 3-D games without wearing special glasses.

Nintendo said it has fixed the problem and that the hacking episode would not delay its new online service, the Nintendo e-Shop, which lets users download games for the 3DS hand-held machine. The service will go online Monday in the United States as planned, said Ken Toyoda, a spokesman for Nintendo.

“The server issue was resolved some time ago,” Mr. Toyoda said from Los Angeles, ahead of the annual E3 Expo, a major trade event for the gaming industry.

Gaming companies like Nintendo and Sony Computer Entertainment have been eager to take their businesses online to increase revenue and to compete with the popularity of simple downloadable games played on smartphones and tablet computers.

Sony had been banking on its PlayStation Network as a base for an online universe that would link its gaming consoles, and its TVs, digital music players and other Sony-made devices.

Sony promised in May that it would bolster its online security. It said it was cooperating with the F.B.I. in a wide-ranging investigation.

Other tech giants have been the focus of a global surge in hacker attacks. Last week, Google said that hundreds of users of Gmail had been the targets of clandestine attacks, apparently originating in China.

The attacks were aimed at stealing the passwords and monitoring e-mail from accounts of senior government officials in the United States, Chinese political activists, officials in several Asian countries, military personnel and journalists, Google said.

Article source:

Sony Says Parts of PlayStation Network Will Be Back Online This Week

TOKYO — Sony said Sunday that parts of its PlayStation Network would be back online this week after hackers infiltrated the service, made off with detailed personal information about users and forced a catastrophic system shutdown.

But a full rebooting of the network, which links 77 million game players worldwide, could take until the end of the month, the Japanese electronics and entertainment company announced at a news conference in Tokyo.

“I am deeply sorry for worrying, and inconveniencing, our users,” Kazuo Hirai, Sony’s executive deputy president, said, bowing deeply.

The security debacle has dealt a serious blow to Sony’s bid to build an online network that brings games and music content to its universe of gadgets. Sony has trailed in building an online presence behind companies like Apple and its popular services, iTunes and the App Store.

Sony has also faced questions about whether it moved quickly enough to inform its users of the breach. The PlayStation Network went down April 20, but Sony did not disclose that personal data had been stolen until a full week later.

A subcommittee of the U.S. House of Representatives has sent a letter to Sony asking for information about the attack. Among its questions are when the intrusion occurred, whether Sony knew who was responsible and when the company had notified law enforcement agencies.

According to Sony, an “unauthorized person” hacked into Sony servers last month and obtained personal information on PlayStation and Qriocity account holders, including their names, addresses, e-mail addresses and user names and passwords for the PlayStation Network.

The company said that other information, including credit card numbers, might have been involved, warning customers to “remain vigilant” by monitoring for identity theft or financial losses.

The hacker attack focused on Sony severs on three days in mid-April, Mr. Hirai said. The company first became aware of the intrusion April 19 and shut down its servers the following day.

Sony said that user names and passwords to the network had not been encrypted but that the credit card information it had for about 10 million users had been and that there was yet no evidence that those data had been taken.

The company is working with the F.B.I. in the United States and with law enforcement agencies in other countries in investigating the attack, it said.

Mr. Hirai acknowledged that Sony had been slow in providing information on the network breach to its users. It took the company time to gather accurate data on the breach, he said.

“Inspecting and analyzing a vast amount of data unfortunately took a lot of time,” he said. “We wanted to make sure that the information we provided was accurate as possible.”

Mr. Hirai said that online networks would remain central to Sony’s business. The new Qriocity service, which streams audio and video content to Sony’s high-end televisions, Blu-ray players and other Web-enabled devices, was also knocked offline in the attack.

Once the network is up and running, users will have to change their passwords before they can connect. Sony will offer free content and other giveaways as part of an “appreciation program,” the company said.

Many features will be back up this week, but the PlayStation Store, where users buy games, movies and other downloadable content, will not be available until later this month, Sony said.

“Sony continues to place utmost priority on its network strategy,” Mr. Hirai said. “We intend to continue our global expansion.”

Article source:

Sony Says PlayStation Hacker Got Personal Data

Christopher Miller’s PlayStation Portable game console had been broken for most of two years. So when his parents got him a new one for his 25th birthday on April 18, he was elated — but only briefly.

Last week, Sony’s online network for the PlayStation suffered a catastrophic failure through a hacking attack. And since then, the roughly 77 million gamers worldwide like Mr. Miller who have accounts for the service have been unable to play games with friends through the Internet or to download demos of new games.

Then, on Tuesday, after several days of near silence, Sony said that as a result of the attack, an “unauthorized person” had obtained personal information about account holders, including their names, addresses, e-mail addresses, and PlayStation user names and passwords. Sony warned that other confidential information, including credit card numbers, could have been compromised, warning customers through a statement to “remain vigilant” by monitoring identity theft or other financial loss.

Law-enforcement officials said Tuesday that Sony had reported the breach to the Federal Bureau of Investigation in San Diego, which specializes in computer crime.

The breach comes after an incident earlier this month, when Epsilon, a marketing firm that handles e-mail lists, suffered a security breach that put millions of people’s e-mail addresses at risk. In some instances, customers’ names were also stolen. Last year, an ATT breach exposed the e-mail addresses of at least 100,000 owners of the Apple iPad.

Even before Sony’s disclosure, complaints about the system failure had been mounting on Web sites, including Sony’s own. “It’s ridiculous,” said Mr. Miller, a 3-D animation student from Saline, Mich., in an e-mail.

Other customers — who have come to take the gaming network for granted — said they were astonished by the failure’s duration and its target, Sony, a globally recognized technology company. Some suggested that the incident, already a severe blow to Sony’s reputation, would give its top video game rivals, Microsoft and Nintendo, a leg up in the console wars.

“Sony is pretty much doing everything wrong,” said Carl-Niclas Odenbring of Releasy Customer Management in Sweden, which helps companies manage social media. Mr. Odenbring said his daughter, age 6, misses playing games on her Sony console, but is now playing on an iPad.

“She doesn’t have any direct purchasing power, but her indirect influence in what my wife and I buy is enormous,” he said. “Sony is losing the battle over her.”

Last weekend, after the attack, Sony said it would rebuild the network to make it more secure. The Sony Qriocity service, which is used to stream audio and video to high-end Sony televisions, Sony Blu-ray players and other Web-enabled Sony devices, was also knocked offline.

“It is very unusual for Sony to completely rebuild a system after a security breach, rather than just stopping the bleeding and going back to some kind of restricted network,” said Mark Seiden, a longtime information security consultant. “The fact that two separate networks are involved in this security breach suggests Sony discovered a major underlying problem that already existed.”

It remains unclear who the hackers were. Anonymous, a well-known hacking group that has been blamed for previously attacking the Sony and PlayStation Web sites, denied any responsibility; the group’s Web site stated, “For once we didn’t do it.”

Last Wednesday, Sony began posting sporadic messages that the PlayStation Network was down. In its first detailed statement on the attack, Sony told its customers on Tuesday afternoon that it had discovered that an “illegal and unauthorized intrusion” into the network had taken place between April 17 and 19.

“If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number and expiration date may have been obtained,” Patrick Seybold, senior director for corporate communications at Sony, wrote in a post on the PlayStation Web site and in an e-mail to customers.

Sony representatives declined to give further details.

Sony said it expected to restore some services — but apparently not all — within a week.

Shortly after Sony’s announcement Tuesday, Senator Richard Blumenthal, Democrat of Connecticut, sent a letter to Sony asking why customers had not been notified immediately about the security breach and not told for nearly a week about the extent of the attack. Mr. Blumenthal also cited concerns that many PlayStation users are children.

The letter said Sony should provide PlayStation customers “financial data security services, including free access to credit reporting services.”

One group of gamers who were particularly vociferous were the members of DC Universe Online, an online game. The game has been out of operation since the attack, affecting gamers who have paid for the service for months in advance.

Other customers said they had had trouble connecting to the popular online streaming service Netflix through the PlayStation console.

Daniel McGuire, a PlayStation user in London, in an e-mail criticized Sony’s initial silence. “Most PlayStation users would never cross over to the Xbox,” he said, referring to Microsoft’s rival console, “but this situation is pushing people. If ever Xbox wanted to snatch PlayStation users, this would be the time.”

Article source: