Sections

Sony: Credit card data was encrypted

But no encryption for personal data, as Sony provides new update on security breach

Sony has claimed that credit card data stored on the PlayStation Network was encrypted and that there is still no evidence that credit card information has been stolen following last week's security breach of the online service.

Although on Tuesday Sony admitted that it could not rule out the possibility that credit card data had been taken, there is still no suggestion that the breach has been that serious.

The entire credit card table was encrypted and we have no evidence that credit card data was taken.

Sony

According to an update on the official PlayStation Blog, "All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken.

"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

While Sony still cannot guarantee that credit card information, encrypted or otherwise, was not taken it continues to offer the same advice to customers: " If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."

The protection of credit card data could be the first positive news for Sony during the ongoing scandal, but the admission that personal data was not encrypted could still prove damaging.

This data has already been confirmed as compromised and would be of significant use to criminals in terms of identity theft and as an aid to phishing scams.

Yesterday it was revealed that the Information Commissioner's Office in the UK is to quiz Sony over its online security arrangements.

Related stories

Vita was simply too late - Tretton

Former SCEA CEO says Sony's latest handheld was a great machine launched when few people wanted a dedicated gaming portable

By Brendan Sinclair

Scorpio is a beast, but Microsoft needs to explain it better

The company needs to find a coherent party line about Scorpio, One S and Windows 10, and stick to it

By Rob Fahey

Latest comments (29)

gi biz ;,pgc.eu 5 years ago
If their encryption key is as safe as the one they used in the PS3...
0Sign inorRegisterto rate and reply
Christopher Bowen Owner, Gaming Bus 5 years ago
What type of encryption? Talk... technical to me, baby. What kind of encryption, Sony?
0Sign inorRegisterto rate and reply
Alasdair Gray Junior Account Planner, Five by Five5 years ago
Surely this information should be getting emailed to PSN customers, rather than just posted on their blog?
0Sign inorRegisterto rate and reply
Show all comments (29)
Joe Winkler trained retail salesman, Expert5 years ago
@Alasdair: Agreed. Well that sounds like the damage is not that high.
But knowing, that some dude in some country can login with my account and do whatever he likes with it is sill an issue to me. Not to mention that this person has my private data as well.
In times of social networking we are all diaphanous to most companys. Thatīs why most spam mails and adverts always fit to your personal interests.
If people donīt want to get their information stolen, they shouldnīt even have a telephone at home not to start with the internet.

@Alex: I checked my mails and did not receive any info from sony yet.

Edited 2 times. Last edit by Joe Winkler on 28th April 2011 10:43am

0Sign inorRegisterto rate and reply
James Poole Managing Director, Sarcastic Hedgehog Ltd5 years ago
why would anyone in Sony's position not have the password details encrypted as well?
0Sign inorRegisterto rate and reply
Try to live on a digital desert island. Perhaps having a oldschool dialup is the way forward for the security concious?
0Sign inorRegisterto rate and reply
Alex Loffstadt Community Manager, Outso Ltd5 years ago
@Joe With your PSN settings have you set them to allow e-mail messages from PSN and have you checked your Spam Filter? :) I've received messages over the past couple of days but it may be dependent on your PSN region or the mails may be going out in batches... *Shrug*
0Sign inorRegisterto rate and reply
A friend I work with, discovered a bunch of illegal purchases on his credit card 2 days ago (bank has been notified, etc). He had a PSN account which included his CC details - he couldn't think of any other obvious source, never happened before, etc.
0Sign inorRegisterto rate and reply
Patrick Frost QA Project Monitor 5 years ago
@Micheal - I think that's quite a long shot. Many people get their cards cloned by entirely real world means or having their identities stolen in by people sorting through their rubbish bins.

Have Sony not pointed out that even without the CSC that the cards can be used (as he illustrated with their own system!) ?
0Sign inorRegisterto rate and reply
Fran Mulhern , Recruit3D5 years ago
I haven't had a single email from Sony to my PSN linked email address yet.
0Sign inorRegisterto rate and reply
Stuart Green Studying BTEC Games Development, Derby College5 years ago
@Joe: I wonder which of my personal interests get me spammed with penis enlargement and Viagra products??
0Sign inorRegisterto rate and reply
gi biz ;,pgc.eu 5 years ago
@patrick: yup, apparently the most dangerous place where you can get you card cloned is in shops: modifying the POS (the owner is not necessairily aware) is one of the easiest way of collecting a lot of cards. Still, they should expect a lot of "false positives" at Sony, unless one can find the culprit the most obvious cause is the breach at Sony.
0Sign inorRegisterto rate and reply
Mikael William Bergene Artist 5 years ago
It's interesting. I had two accounts, one for my current US residency and my old UK one. Only the email registered with the US one has been contacted regarding the issue.
0Sign inorRegisterto rate and reply
Philipp Nassau Student - Business Administration (M. Sc.) 5 years ago
I'm sorry but after the PS3 Keys I don't trust any Sony encryption. These guys made way too many mistakes in the past to feel safe now. Considering that the system stores the whole information and automatized access to it happens in a few seconds I see no reason why they should expect it not to be breached after seeing to what extend the hackers could move inside the system.
0Sign inorRegisterto rate and reply
Geoff Spick Editor/Writer 5 years ago
Sony must have known that a week ago, telling everyone back then would have saved a lot of grief (and me cancelling my card)
0Sign inorRegisterto rate and reply
Phil Blunt indie developer 5 years ago
sounds like a lie to me, there are posts on the net from 3 months previous to this that suggests the data is not encrypted. sounds like they are trying to dodge the fail in their data protection act compliance.

can online gamers and digital distribution recover from this?
0Sign inorRegisterto rate and reply
James Poole Managing Director, Sarcastic Hedgehog Ltd5 years ago
I have two PS3s, one UK and one US. Only the email address associated with the US one has been contacted.
0Sign inorRegisterto rate and reply
I didn't get an email until late in the evening last night, so it might be that Sony have a backlog of people to inform.
0Sign inorRegisterto rate and reply
Joe Winkler trained retail salesman, Expert5 years ago
@Stuart: Penis enlargement and Viagra are the classic spam mails, everyone receives nowadays (or at least if the email address exists for a few years). But in my case there are lots of spam mails (not to mention the viagra stuff;) that cover up with my personal intrests. Games and movies and other hobbys I prefer are mostly in the content.
0Sign inorRegisterto rate and reply
Brian Depaul Editor/Owner, Geek Gamer5 years ago
Its going to be interesting to see how they deal with this issue
0Sign inorRegisterto rate and reply
Paul Shirley Programmers 5 years ago
@James Pool: "why would anyone in Sony's position not have the password details encrypted as well?"

Because the law only requires them to protect cc details. Everything else is a choice [EDIT] and we're assuming they chose not to protect the rest[/EDIT]

So far the public have not realised Sony [may] have done the absolute minimum required to avoid jail time and/or massive fines, rather than taking customer security seriously. It won't be pretty if they wake up and realise Sony chose not to protect all the data, protecting one database but not another is not an accident, it demonstrates a conscious choice was made.

Edited 1 times. Last edit by Paul Shirley on 28th April 2011 6:11pm

0Sign inorRegisterto rate and reply
James Prendergast Research Chemist 5 years ago
@Joe.

I take issue with your implication that users are at fault for just trying to live their lives. I mean, how disingenuous is that? "If people donīt want to get their information stolen, they shouldnīt even have a telephone at home not to start with the internet."

Let's continue the logical extent of that sort of argument: "Women who wear clothing that reveals their bodies in any way are asking to be abused. People who drive their cars are asking to be in an accident. People who ride trains or planes are asking to be bombed/hijacked." Also realising that it's not just people who have connectivity within their own home who have their identities/details stolen.... So eating out is a no-go. Having a bank or savings account is a no-go (banks have breaches too).

That's a seriously messed up worldview right there....

As for the "damage is not that high" comment. You basically nullify that with your next sentence... because your personal data is constant across multiple environments that you have no control over. Even if you, yourself, are not compromised by this. How many friends of yours on facebook, from your primary email address... here on GamesIndustry.biz.... can or could be targeted by malicious phishing or malware hooks by interacting with what/who they believe is you? The damage isn't just to the people who had their account information stolen but their families, their finances and their acquaintances' finances and families.

That old work chestnut about "don't open files in emails unless they're from a trusted source" is out the window as soon as you're no longer sure who you can trust. Considering it's impossible to keep Antivirus up-to-date with the newest of the new releases of malware compromises of information like has happened here are just unreal in terms of how things could play out.

Edited 1 times. Last edit by James Prendergast on 28th April 2011 10:04pm

0Sign inorRegisterto rate and reply
Curt Sampson Sofware Developer 5 years ago
Alasdair: I have personally verified that a message arrived at the e-mail address for one Japanese PSN account about four days after the breech, and one arrived at the e-mail address for a U.S. PSN account about six days after the breech. The large delays are annoying, but I"m wiling to cut Sony a bit of slack on this since they did have to send out some 75 million messages.
0Sign inorRegisterto rate and reply
Curt Sampson Sofware Developer 5 years ago
"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."

That they never requested the CVC is outright wrong, I believe. I'm quite certain that I was a) asked for the CVC when I added a credit card to my PSN account recently, and b) was asked for it again (though not any other credit card information) when I first set up my PSP to use that account.

I quite believe that Sony's not storing it, of course, since that would normally be a breech of anybody's merchant account agreement. The CVC is supposed to be stored nowhere but in the credit card provider's database and written on the card itself (not on the magnetic stripe, though) so that it can act as evidence during initial card data entry that the person doing the entry is in possession of the physical card itself.
0Sign inorRegisterto rate and reply
Andy Grimbal  Game Production, Turner Entertainment Network Asia5 years ago
@Curt: I'd cut Sony some slack for delays in sending out 75 (or is it 77?) million emails, but there is no excuse for them not bringing the issue to light sooner by means of a press release - something they did six days after the fact.
0Sign inorRegisterto rate and reply
Joe Winkler trained retail salesman, Expert5 years ago
@James Prendergast.
With the Statement "maybe the damage isnīt that high", I pointed at the fact that hackers AT LEAST didnīt get the whole credit card address.(wich doesnīt make it much better)
And your defenetly right about my "living in a cave prefents from evil" statement. Itīs just that everyone online is somehow in someway traced with his personal data anyway. So the least I know is that "they" know my interests (excluding Viagra) and where I live (éven if I didnīt post that anywhere).

The issue here is that sony just messed up big time, and those things shouldnīt happen. And yes, Iīm not happy about that either.

Edited 2 times. Last edit by Joe Winkler on 29th April 2011 8:58am

0Sign inorRegisterto rate and reply
Jim Webb Executive Editor/Community Director, E-mpire Ltd. Co.5 years ago
It doesn't take 4 days for Sony to send 75 million emails. I could push 24 million in 1 day on my own server using just the vBulletin forum software. And I'm willing to bet Sony's servers are a bit more powerful than my own and are using dedicated email software and dedicated email servers.

And even if it did take 4 days to send out all the Japanese emails you'd have 25% of them receive an email on day 1, 25% receive an email on day 2 and so on. Not all of them arrive on day 4.
0Sign inorRegisterto rate and reply
Jeff Wilson5 years ago
I think I shall purchase a Sony Network Card from a High Street Gaming Store to get the points I need for the DLC until Sony have sorted this out. I was thinking of purchasing DLC online recently from Sony Network for my PS3 Slim, I am glad I did not. We have never had this problem with Amazon, Apple or Microsoft Xbox Live. They maintain secure sites, what can't Sony ?
0Sign inorRegisterto rate and reply
Reilly Davis5 years ago
at most it would take an hour to send those mails its all dynamic its not like they have to manually type in all addresses and the most amusing spam i get is jessica alba is fat lol
0Sign inorRegisterto rate and reply

Sign in to contribute

Need an account? Register now.