Sony has confirmed that the recent attack on the PlayStation Network has resulted in the accessing of untold numbers of user accounts and the personal information associated with those accounts. Sony has yet to identify how many accounts were compromised, and while “there is no evidence at this time that credit card data was taken," Sony admited that "we cannot rule out the possibility.” So for the sake of assuming the worst and hoping for the best, here’s a handy guide for what your next course of action should be.
According to its official statement released today, Sony identified that the following information was made vulnerable during the attack window of April 17-19:
- Name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.
- It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.
Now, while a credit card number is not required to set up a PSN account, the information listed above could be used to access bank accounts, so even if you didn’t attach a credit card number to your account, you’re still not entirely free and clear. For now though, just let’s just say your credit card info (minus the security code, per Sony’s statement) and personal data have been compromised. What now?
- TransUnion: 1-800-680-7289; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
- Equifax: 1-800-525-6285; P.O. Box 740241, Atlanta, GA 30374-0241
- Experian: 1-888-EXPERIAN (397-3742); P.O. Box 9554, Allen, TX 75013
So chances are if your account was compromised, your credit card company has been made aware of it. Still, here are the steps the Federal Trade Commission recommends you take to make sure you are protected against full on identity theft:
Place a fraud alert on your credit reports, and review your credit reports
- Fraud alerts can help prevent an identity thief from opening any more accounts in your name. Contact the toll-free fraud number of any of the three consumer reporting companies below to place a fraud alert on your credit report. You only need to contact one of the three companies to place an alert. The company you call is required to contact the other two, which will place an alert on their versions of your report, too. If you do not receive a confirmation from a company, you should contact that company directly to place a fraud alert.
- Once you place the fraud alert in your file, you're entitled to order one free copy of your credit report from each of the three consumer reporting companies, and, if you ask, only the last four digits of your Social Security number will appear on your credit reports. Once you get your credit reports, review them carefully. Look for inquiries from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain. Check that information, like your Social Security number, address(es), name or initials, and employers are correct. If you find fraudulent or inaccurate information, get it removed. See Correcting Fraudulent Information in Credit Reports to learn how. When you correct your credit report, use an Identity Theft Report with a cover letter explaining your request, to get the fastest and most complete results. Continue to check your credit reports periodically, especially for the first year after you discover the identity theft, to make sure no new fraudulent activity has occurred.
Close the accounts that you know, or believe, have been tampered with or opened fraudulently
- Call and speak with someone in the security or fraud department of each company. Follow up in writing, and include copies (NOT originals) of supporting documents. It's important to notify credit card companies and banks in writing. Send your letters by certified mail, return receipt requested, so you can document what the company received and when. Keep a file of your correspondence and enclosures.
- When you open new accounts, use new Personal Identification Numbers (PINs) and passwords. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your Social Security number or your phone number, or a series of consecutive numbers.
- If the identity thief has made charges or debits on your accounts, or has fraudulently opened accounts, ask the company for the forms to dispute those transactions:
- For charges and debits on existing accounts, ask the representative to send you the company's fraud dispute forms. If the company doesn't have special forms, use the sample letter to dispute the fraudulent charges or debits. In either case, write to the company at the address given for "billing inquiries," NOT the address for sending your payments.
- For new unauthorized accounts, you can either file a dispute directly with the company or file a report with the police and provide a copy, called an “Identity Theft Report,” to the company.
- If you want to file a dispute directly with the company, and do not want to file a report with the police, ask if the company accepts the FTC’s ID Theft Affidavit (PDF, 56 KB). If it does not, ask the representative to send you the company's fraud dispute forms.
- However, filing a report with the police and then providing the company with an Identity Theft Report will give you greater protection. For example, if the company has already reported these unauthorized accounts or debts on your credit report, an Identity Theft Report will require them to stop reporting that fraudulent information. Use the cover letter to explain to the company the rights you have by using the Identity Theft Report. More information about getting and using an Identity Theft Report can be found here.
- Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and has discharged the fraudulent debts. This letter is your best proof if errors relating to this account reappear on your credit report or you are contacted again about the fraudulent debt.
File a complaint with the Federal Trade Commission
- You can file a complaint with the FTC using the online complaint form; or call the FTC's Identity Theft Hotline, toll-free: 1-877-ID-THEFT (438-4338); TTY: 1-866-653-4261; or write Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. Be sure to call the Hotline to update your complaint if you have any additional information or problems.
- By sharing your identity theft complaint with the FTC, you will provide important information that can help law enforcement officials across the nation track down identity thieves and stop them. The FTC can refer victims' complaints to other government agencies and companies for further action, as well as investigate companies for violations of laws the agency enforces.
- Additionally, you can provide a printed copy of your online Complaint form to the police to incorporate into their police report. The printed FTC ID Theft Complaint, in conjunction with the police report, can constitute an Identity Theft Report and entitle you to certain protections. This Identity Theft Report can be used to (1) permanently block fraudulent information from appearing on your credit report; (2) ensure that debts do not reappear on your credit report; (3) prevent a company from continuing to collect debts that result from identity theft; and (4) place an extended fraud alert on your credit report.
File a report with your local police or the police in the community where the identity theft took place.
- Call your local police department and tell them that you want to file a report about your identity theft. Ask them if you can file the report in person. If you cannot, ask if you can file a report over the Internet or telephone. See below for information about Automated Reports.
If the police are reluctant to take your report, ask to file a "Miscellaneous Incident" report, or try another jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check www.naag.org for a list of state Attorneys General.
- When you go to your local police department to file your report, bring a printed copy of your FTC ID Theft Complaint form, your cover letter, and your supporting documentation. The cover letter explains why a police report and an ID Theft Complaint are so important to victims.
- Ask the officer to attach or incorporate the ID Theft Complaint into their police report. Tell them that you need a copy of the Identity Theft Report (the police report with your ID Theft Complaint attached or incorporated)to dispute the fraudulent accounts and debts created by the identity thief. (In some jurisdictions the officer will not be able to give you a copy of the official police report, but should be able to sign your Complaint and write the police report number in the “Law Enforcement Report” section.)
It’s also important to remember that since you can’t access PSN, you can’t change your PSN password, so if you always use the same passwords online, you might want to change those passwords immediately as well as just another precautionary measure. We’ll be bringing you more news as it develops, so stay tuned. For now though, be sure to check out our PlayStation Network Hack FAQ: What We Know for all of the most recent info.