Sony Corporation and Sony Computer Entertainment announced on May 3rd  that their ongoing investigation of illegal intrusions into Sony Online Entertainment LLC (SOE) systems revealed on May 2  that hackers may have stolen SOE customer information on April 16th and 17th, 2011 (PDT). SOE is based in San Diego, California, U.S.A.

This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.  Source: Sony Corporation

This is the largest data scandal on record and surpasses any other data thefts by a large margin.  It involves data on close to 100 million Sony customers.   Given the magnitude of the data theft, even the Financial Times (FT) had devoted an entire page to this story on May 2nd

The Sony case raises a number of questions:   Is Sony a victim of poor back-office technology?  There are ample cases where companies invest in front office systems to serve clients, while neglecting their back office systems.

Was the customer database outsourced?  Sony should disclose where the customer data was housed and managed (the US, India or elsewhere)?    The FT article in particular raised the issue about the consumer having to supply their sensitive personal data to companies, but have no say in how the data is treated.

Why keep such a large customer database on one system?  Segmenting it into specific silos may prevent hackers from accessing the entire data file and  its content.

Perhaps Sony would be better off to have its client database managed by a credit bureau operator.  Credit Bureaus are in the business of safeguarding sensitive data and spend a lot of effort on securing its systems.

Most likely the case will have regulatory implications with privacy advocates and data protection authorities pushing for tightening of regulations.