PlayStation credit card data was encrypted
Sony has confirmed that the credit card details possibly stolen in a breach of its PlayStation Network (PSN) were encrypted.
(Complete image by Timypenburg, CC BY-SA 2.0)
Customer names, addresses, email addresses, birthdays, PlayStation Network and Qriocity passwords and user names, as well as online user handles, were obtained illegally by an "unauthorised person", according to Sony. The data was accessed between 17 and 19 April and potentially affects up to 75 million customers.
The tech giant said on its blog that "all credit card information stored in our systems is encrypted", but added that it cannot rule out the possibility that the card data was stolen.
It said that it was only an "abundance of caution" on its part that had caused it to advise customers that credit card numbers and expiration dates may have been compromised. Security codes and Card Code Verification numbers are not recorded on the network.
While the strength of encryption has not been revealed, its existence is welcome news for users of the compromised networks because it reduces the likelihood that details can be used to commit fraud.
Encryption of credit card data is a requirement of Payment Card Industry Data Security Standards (PCI-DSS), but it is not infallible, Securus Global managing director Drazen Drazic said.
Drazic pointed out that front-end applications may provide certain users the rights to view the unencrypted credit card details. "If say a database admin account gets compromised, then the cards may be exposed," he said.
Sony said that it is pushing out a system software update "that will require all users to change their password once PlayStation Network is restored", a move that hints that although credit card data was encrypted, customer passwords were not.
Sony stressed that customers should change passwords that are shared across other accounts, as they may be targeted by attackers.
A class action suit has already been filed in the United States, which has accused Sony of not taking "reasonable care to protect, encrypt and secure the private and sensitive data of its users".