For Immediate Release - May 04, 2011

AG Coakley Calls on Sony Network Entertainment to Provide Notice about its Recent Data Breach to All Massachusetts Consumers

AG Offers Guidance to Consumers on How to Protect Personal Information

BOSTON - In light of reports that the personal information of millions of its customers may have been compromised, Attorney General Martha Coakley is calling on Sony Network Entertainment to notify all affected Massachusetts consumers about the data breach. AG Coakley also issues the following advisory with tips for consumers to protect themselves from identity theft.

In written notification to the company, AG Coakley's office has informed Sony Network Entertainment that it must provide proper legal notice to affected Massachusetts residents in accordance with the Commonwealth's data breach notification statute, G.L. 93H. Specifically, Sony must provide clear and conspicuous notice of the data breach to consumers on the main homepage of the website as well as notify all affected Massachusetts residents via electronic mail. It also must publicize the notice in media throughout the Commonwealth.

"This is certainly a significant breach of personal information for millions of Sony customers, including hundreds of thousands of Massachusetts residents," AG Coakley said. "While the case remains under investigation, we believe Sony should immediately notify all of its Massachusetts consumers about the breach so that people can take steps to protect themselves."

On April 26, Sony Network Entertainment announced that between April 17 and April 19, certain PlayStation Network and Qriocity service user account information was compromised in connection with an unauthorized intrusion including name, address (city, state, zip), country, email address, birth date, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that profile data, including purchase history and billing address (city, state, zip), and PlayStation Network/Qriocity password security answers may have been obtained. Likewise, if a user authorized a sub-account for a dependent, the same data with respect to the dependent may have been obtained.

While Sony Network Entertainment claims there is no evidence at this time that credit card data was taken, it has stated that it cannot rule out that possibility. Sony Network Entertainment acknowledges that if you have provided your credit card data through the PlayStation Network or Qriocity, your credit card number (excluding security code) and expiration date may have been obtained.

Although Sony has posted information about this matter on its website at http://us.playstation.com/news/consumeralerts and provided notice via electronic mail to some Massachusetts consumers, AG Coakley is calling upon Sony Network Entertainment to provide more clear and conspicuous notice to consumers on the main homepage of the website as required by Massachusetts law. AG Coakley is also calling on the company to notify all affected Massachusetts residents via electronic mail and to publicize the notice in media throughout the Commonwealth.

On May 2, 2011, Sony Online Entertainment announced that between April 16 and April 17, 2011, hackers also gained access to Sony Online Entertainment systems and may have obtained personal customer information. Personal information consumers provided in connection with their SOE accounts may have been stolen in a cyber-attack including name, address (city, state, zip, country), email address, gender, birth date, phone number, login name and hashed password. Sony Online Entertainment states that this time it does not believe that its main credit card database was compromised. The Attorney General's office is continuing to investigate and get more information on this matter as well.

In light of this recent news, Attorney General Martha Coakley's Office offers consumers the following information on how to protect themselves against potential identity theft. Consumers who have PlayStation Network and Qriocity user accounts or have used Sony Online Entertainment systems may wish to consider taking the following precautionary steps:

  1. Do not respond to unsolicited emails, telephone calls, or mailings that ask you for your credit card number, credit card security codes, social security numbers, or bank account numbers.
  2. For all PlayStation Network, Qriocity and SOE services, it is strongly recommended that you log on and change your password. Additionally, if you use the same user name or password for your Sony services as you do for other unrelated services or accounts, we strongly recommend that you change them as well.
  3. Carefully review and monitor your credit card or other financial accounts for any unauthorized activity and monitor your credit reports.
  4. Call one of the three major credit bureaus and place a one-call fraud alert on your credit report:
  • Equifax: Call (800) 525-6285, www.equifax.com, or write: P.O. Box 740241, Atlanta, GA 30374-0241.
  • Experian: Call (888) 397-3742, www.experian.com, or write: P.O. Box 9532, Allen, TX 75013.
  • TransUnion: Call (800) 680-7289, www.transunion.com, or write: Fraud Victim Assistance Division, P.O. Box 6790 Fullerton, CA 92834-6790.

You only need to call one of the three credit bureaus; the one you contact is required by law to contact the other two credit bureaus. This one-call fraud alert will remain in your credit file for at least 90 days. When you place a fraud alert on your credit report, you are entitled to order one free credit report from each of the three nationwide consumer reporting agencies.

  1. Order a copy of your credit report, and look for unauthorized activity. Look carefully for unexplained activity on your credit report.
  2. If there is unexplained activity on your credit report, you may want to place an extended fraud alert on your credit report. If after reviewing your credit report you believe there is unexplained activity, you may want to place an extended fraud alert on your credit report. In order to do this, you need to file a police report with your local police department, keep a copy for yourself, and provide a copy to one of the three major credit bureaus. Then an extended fraud alert can be placed on your credit file for a 7-year period.
  3. If there is unexplained activity on your credit report, you may also want to consider placing a security freeze on your credit reports. Massachusetts consumers can place a security freeze on their credit reports. In most instances, a security freeze prohibits a credit reporting agency from releasing any information from your credit report without your written authorization. Consumers should be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests they make for new loans, credit mortgages, employment, housing or other lines of credit.

If you have been a victim of identity theft, and you provide the credit reporting agency with a valid police report, it cannot charge you to place, lift or remove a security freeze. In all other cases, a credit reporting agency may charge you $5 fee for each placing, temporary lifting or removing of a security freeze.

To place a security freeze on your credit report, you should send a written request to each of the three nationwide consumer reporting agencies by regular, certified or overnight mail at the addresses below:

Equifax Security Freeze
P.O. Box 105788
Atlanta, GA 30348

Experian Security Freeze
P.O. Box 9554
Allen, TX 75013

TransUnion
Fraud Victim Assistance Department
P.O. Box 6790
Fullerton, CA 92834

In order to request a security freeze, you must:

  • Provide your full name (including middle initial as well as Jr., Sr., II, III, etc.,) address,
  • Social Security number, and date of birth;
  • If you have moved in the past 5 years, supply the addresses where you have lived over the prior 5 years;
  • Provide proof of current address such as a current utility bill or phone bill;
  • Send a photocopy of a government issued identification card (state driver's license or ID card, military identification, etc.);
  • If you are a victim of identity theft, include a copy of either the police report,

investigative report, or complaint to a law enforcement agency concerning identity theft;

  • If you are not a victim of identity theft, include payment by check, money order or credit card (Visa, Master Card, American Express, or Discover cards only.) Do not send cash in the mail.

If you believe that you have been the victim of identity theft, you will need to take additional steps to protect your credit and your good name. For additional information, consumers may contact the Attorney General's consumer hotline at (617) 727-8400, or view the Federal Trade Commission's identity theft resource, available at www.ftc.gov/idtheft/.

##########