What Next? Sony Admits Even Bigger Security Breach: 25 Million Accounts

Those clouds over Sony (NYSE: SNE) are getting darker. The company has admitted yet another compromise of people’s private information, with this latest breach affecting over 25 million people, and now people are starting to wonder if, and when, heads are going to roll.

The latest breach, of accounts linked to the Sony Online Entertainment (SOE) gaming service, has an even more alarming set of numbers attached to it than the breach announced last week around the PlayStation Network and Sony’s on-demand entertainment service, Qriocity.

According to a statement from Sony,

“personal information from approximately 24.6 million SOE accounts may have been stolen, as well as certain information from an outdated database from 2007. The information from the outdated database that may have been stolen includes approximately 12,700 non-U.S. credit or debit card numbers and expiration dates (but not credit card security codes), and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain.”

This newest leak was apparently discovered during checks that Sony was making around last week’s problems, and it looks like this theft happened at the same time as those from PSN and Qriocity.

The company closed down the SOE network, including Sony’s Facebook games, after it discovered the problem yesterday. The SOE service, along with the PlayStation Network and Qriocity, continue to remain closed for now.

This latest revelation — while once again casting a big shadow on the security of cloud-based services — is also leading to some more dark looks at the company, namely in the form of blame, and asking who should be held responsible for these problems. Some investors are even calling for the resignation of Howard Stringer, the company’s CEO, adding accusations of being unable to handle this security crisis to existing criticisms over the competitiveness in the company’s product portfolio.

It hasn’t helped, either, that Sony yesterday declined to appear at a Congressional hearing on data theft and the impact on American consumers. (The Times notes that it is, however, providing some responses to the committee running the hearing; it could not attend due to its own ongoing investigation into the attacks, it claimed.)

As of yet, there have not been any announcements made about how this data may have been used, and who may have been behind this breach.

Sony has, however, admitted that there may be more to come. “They are hackers. We don’t know where they’re going to attack next,” a spokesperson told Reuters.

Unlike last week’s PSN and Qriocity breaches, Sony has not yet issued any guidance to affected users about what steps to take next in terms of safeguarding themselves. Here is the full list of details stolen from the Sony Online Entertainment service:

e-mail address
phone number
login name
hashed password.

And the 10,700 direct debit records from accounts in Austria, Germany, Netherlands and Spain, had this additional information taken:

bank account number
customer name
account name
customer address

Worth noting, too, that even though Sony calls the databases from 2007 “outdated”, there is a high chance that affected users will still have kept the same banking details that they did four years ago. Sony is offering users 30 days’ compensation, plus credit for each day the network remains closed. Nevertheless, a disastrous turn of events for the company.