Sony: Credit card data was encrypted
But no encryption for personal data, as Sony provides new update on security breach
Sony has claimed that credit card data stored on the PlayStation Network was encrypted and that there is still no evidence that credit card information has been stolen following last week's security breach of the online service.
Although on Tuesday Sony admitted that it could not rule out the possibility that credit card data had been taken, there is still no suggestion that the breach has been that serious.
The entire credit card table was encrypted and we have no evidence that credit card data was taken.
Sony
According to an update on the official PlayStation Blog, "All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken.
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
While Sony still cannot guarantee that credit card information, encrypted or otherwise, was not taken it continues to offer the same advice to customers: " If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."
"Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
The protection of credit card data could be the first positive news for Sony during the ongoing scandal, but the admission that personal data was not encrypted could still prove damaging.
This data has already been confirmed as compromised and would be of significant use to criminals in terms of identity theft and as an aid to phishing scams.
Yesterday it was revealed that the Information Commissioner's Office in the UK is to quiz Sony over its online security arrangements.
But knowing, that some dude in some country can login with my account and do whatever he likes with it is sill an issue to me. Not to mention that this person has my private data as well.
In times of social networking we are all diaphanous to most companys. Thatīs why most spam mails and adverts always fit to your personal interests.
If people donīt want to get their information stolen, they shouldnīt even have a telephone at home not to start with the internet.
@Alex: I checked my mails and did not receive any info from sony yet.
Edited 2 times. Last edit by Joe Winkler on 28th April 2011 10:43am
Have Sony not pointed out that even without the CSC that the cards can be used (as he illustrated with their own system!) ?
can online gamers and digital distribution recover from this?
Because the law only requires them to protect cc details. Everything else is a choice [EDIT] and we're assuming they chose not to protect the rest[/EDIT]
So far the public have not realised Sony [may] have done the absolute minimum required to avoid jail time and/or massive fines, rather than taking customer security seriously. It won't be pretty if they wake up and realise Sony chose not to protect all the data, protecting one database but not another is not an accident, it demonstrates a conscious choice was made.
Edited 1 times. Last edit by Paul Shirley on 28th April 2011 6:11pm
I take issue with your implication that users are at fault for just trying to live their lives. I mean, how disingenuous is that? "If people donīt want to get their information stolen, they shouldnīt even have a telephone at home not to start with the internet."
Let's continue the logical extent of that sort of argument: "Women who wear clothing that reveals their bodies in any way are asking to be abused. People who drive their cars are asking to be in an accident. People who ride trains or planes are asking to be bombed/hijacked." Also realising that it's not just people who have connectivity within their own home who have their identities/details stolen.... So eating out is a no-go. Having a bank or savings account is a no-go (banks have breaches too).
That's a seriously messed up worldview right there....
As for the "damage is not that high" comment. You basically nullify that with your next sentence... because your personal data is constant across multiple environments that you have no control over. Even if you, yourself, are not compromised by this. How many friends of yours on facebook, from your primary email address... here on GamesIndustry.biz.... can or could be targeted by malicious phishing or malware hooks by interacting with what/who they believe is you? The damage isn't just to the people who had their account information stolen but their families, their finances and their acquaintances' finances and families.
That old work chestnut about "don't open files in emails unless they're from a trusted source" is out the window as soon as you're no longer sure who you can trust. Considering it's impossible to keep Antivirus up-to-date with the newest of the new releases of malware compromises of information like has happened here are just unreal in terms of how things could play out.
Edited 1 times. Last edit by James Prendergast on 28th April 2011 10:04pm
That they never requested the CVC is outright wrong, I believe. I'm quite certain that I was a) asked for the CVC when I added a credit card to my PSN account recently, and b) was asked for it again (though not any other credit card information) when I first set up my PSP to use that account.
I quite believe that Sony's not storing it, of course, since that would normally be a breech of anybody's merchant account agreement. The CVC is supposed to be stored nowhere but in the credit card provider's database and written on the card itself (not on the magnetic stripe, though) so that it can act as evidence during initial card data entry that the person doing the entry is in possession of the physical card itself.
With the Statement "maybe the damage isnīt that high", I pointed at the fact that hackers AT LEAST didnīt get the whole credit card address.(wich doesnīt make it much better)
And your defenetly right about my "living in a cave prefents from evil" statement. Itīs just that everyone online is somehow in someway traced with his personal data anyway. So the least I know is that "they" know my interests (excluding Viagra) and where I live (éven if I didnīt post that anywhere).
The issue here is that sony just messed up big time, and those things shouldnīt happen. And yes, Iīm not happy about that either.
Edited 2 times. Last edit by Joe Winkler on 29th April 2011 8:58am
And even if it did take 4 days to send out all the Japanese emails you'd have 25% of them receive an email on day 1, 25% receive an email on day 2 and so on. Not all of them arrive on day 4.