Sony Pictures Entertainment (SPE) released a consumer alert yesterday admitting that an attack on SonyPictures.com compromised the personally identifiable information (PII) of some 37,500 of their customers. Sony said the breach did not spill any credit card information or social security numbers. It was the first published acknowledgement from the company on the extent of the breach, on June 2.
Sony did not immediately return requests for comment from Threatpost.
The breach has been attributed to LulzSec a hacking group that spun off from Anonymous. In its statement, Sony said specific information tied to certain promotions and sweepstakes was taken. That may include names, addresses, email addresses, telephone numbers, genders, dates of birth, and website passwords and user names. The company warned customers about potential phishing scams and advise them to change their passwords when the site comes back online. However, Sony stopped short of offering what has become industry standard data breach reconciliation of one year of free credit monitoring services, opting instead to provide the information necessary for customers to check their credit score on their own.
This is only the latest in a long line of public relations catastrophes for the entertainment conglomerate, which started when the company suffered a breach and subsequent outage on their PlayStation Network in late April. Their woes deepened when their home nation of Japan didn’t allow them to restore the network in that country and then again when their password reset process was beset with problems and had to be temporarily shut down.