Gamification

Libe Goad
Home / News & Blogs / Gamification

Sony encrypted credit card data, but not user account info

By | April 28, 2011, 8:50am PDT

Summary: The good news is your PSN credit card information was encrypted. The bad news is your user account info wasn’t. That’s not all, though - Sony still won’t give us a straight answer on whether the credit card info was taken or what encryption has been used.

There’s more good news and bad news for users of Sony’s PlayStation Network and Qriocity streaming service: The good news is that your credit card information is encrypted, and Sony says there’s no evidence it was taken. The bad news is that your personal data wasn’t encrypted. What’s more, Sony’s latest attempt to quell the furor surrounding this debacle is just raising more strident questions.

Posting to the official PlayStation blog, Sony Computer Entertainment Patrick Seybold offered a canned question and answer list highlighting more details of the recent security failure that led to the exposure of 77 million PlayStation Network user accounts.

“The entire credit card table was encrypted and we have no evidence that credit card data was taken,” said Sony.

This is the slimmest amount of good news for PlayStation Network users, but it alone raises very serious concerns, since Sony has yet to provide any details on what sort of encryption has been used to protect that credit card information.

As a result, PlayStation Network users have absolutely no idea how safe their credit card information may be.

But the bad news keeps rolling in:

“The personal data table, which is a separate data set, was not encrypted,” Sony notes, “but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”

A very sophisticated security system that ultimately failed, making it useless.

Why Sony failed to encrypt user account data is a question that security experts have already begun to ask. Along with politicians both in the United States and abroad.

Chances are Sony’s not going to have an answer that’s going to please anyone.

Sony added that they’re implementing a system software update that will require all PlayStation Network users to change their passwords before their can access the system again.

When will that be? Sony is sticking to an earlier estimate that it will be back up and running a week from this past Wednesday. “However, we want to be very clear that we will only restore operations when we are confident that the network is secure.”

Speaking as one of those 77 million PlayStation Network users, all I have to say, Sony, is that you damn well better be.

Related:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Gamification”

Topics

Sony Corp., Network, Credit Card, Sony Playstation, Game Players, Consumer Electronics, Personal Technology, Peter Cohen

A long-time veteran of the Apple news business, Peter has also spent more than fifteen years covering games and the game industry. A self-proclaimed Alpha Nerd, Peter also professes a love for anime, sci-fi cons, gadgets of all kinds and various geek subcultures.

Disclosure

Peter Cohen

Peter Cohen does not own any stock or have any investments in any of the companies he writes about.

Biography

Peter Cohen

A resident of Cape Cod, Massachusetts, Peter has spent more than fifteen years writing about games and the game industry. For a decade Peter was senior editor for Macworld magazine, writing online news and covering the Apple game beat in Macworld's Game Room column.

Peter is currently executive editor for The Loop, an Apple news and analysis site founded by former Macworld editors. He's cohost of Angry Mac Bastards, a weekly podcast that viciously eviscerates some of what passes for Apple-related news and analysis in the tech blogosphere.

Peter is also a freelance technology journalist and reviewer whose words can be found in Macworld, Mac|Life, MacUser, MacFormat and Tap! Magazine.

23
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Sony encrypted credit card data, but not user account info
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
should have used Linux and OSS
Linux Geek 28th Apr 2011
and no breach would be possible
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
samalie 28th Apr 2011
@Linux Geek If there was a "Flagged: Unbelievable Moron" option I'd use it here.

There is absolutely NO information on what their backend systems run on. NOTHING.

But here you are, spreading pro-Linux FUD. Choke on a
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Pete "athynz" Athens 28th Apr 2011
@Linux Geek Funny thing is I seem to recall one of you Linux Heads saying that they WERE running Linux... D'OH!
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Viper589 28th Apr 2011
@Linux Geek

hey moron sony uses Linux on the console and servers and opengl and it still got hacked into
0 Votes
+ -
According to Netcraft
Bill Pharaoh Updated - 28th Apr 2011
@Linux Geek
they look to be running Apache on Linux.

Maybe that was the problem from the begining?

Maybe we should ask that Linux Advocate guy?
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
jimsj 29th Apr 2011
@Linux Geek

Maybe they should have not hired arrogant Linux fanboys like yourself who are naive enough to think that Linux is impenetrable and can therefore ignore something as trivial as security.
0 Votes
+ -
Ars Technica is reporting...
wolf_z 28th Apr 2011
...some of their users are reporting fraudulent charges on their cards--and those cards were linked to PSN.

http://arstechnica.com/gaming/news/2011/04/ars-readers-report-credit-card-fraud-blame-sony.ars
0 Votes
+ -
Meh
His_Shadow 28th Apr 2011
@wolf_z There are 77 million PSN users. I'm pretty sure one can get some numbers on the average amount of CC fraud and realize that people's cards get fraudulent charges all the time. There is no reason to jump to the conclusion it's because of the PSN hack, as 10 will get you 20, anyone using their CC on PSN uses it on any number of other online services.
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Habiloso 28th Apr 2011
@His_Shadow

I agree with you. There is no evidence at this point to relate one or two dodgy credit credit purchases to the other debacle. Credit cards are fraudulently accessed all the time. It may well simply be a coincidence.
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Droid101 28th Apr 2011
It's been about 4 years since I changed my master password and this gave me a good reason to.

My account name is different on PSN than 99% of the other sites I visit so I'm pretty safe, regardless.

Already canceled the card I had on file with them when the network first went down (I was cautious).

Get it back up already, I want to redeem some Rock Band 3 codes.
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Aeon Locke 28th Apr 2011
@Droid101

I want to frag some noobs in SOCOM4!!
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
jeffpk 28th Apr 2011
Does this mean they were storing passwords in plain text???

Unix has been storing passwords as one-way hased values since the mid 70s.

If its true Sony wasnt doing that then someone needs firing...
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Habiloso 28th Apr 2011
@jeffpk

I, too, am somewhat baffled by this. It makes no sense to me why user information was not also encrypted. This is not my industry, but I would have thought that it would be done as a matter of course. Can anyone explain?
0 Votes
+ -
My guess is that your user info
Bill Pharaoh 29th Apr 2011
@ptorning
is used throughout parts of Sony, while credit card info is specific to the site alone, so unencrypted makes it easier to access?
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
Habiloso 29th Apr 2011
@Bill Pharoah

Thankyou. That makes sense.
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
MACKENZI 11th Sep
I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate! nccma cooler
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
PEARLINEI 12th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post. this thread is amazing i like your work and i appreciate you that you have share a useful stuff thanks for sharing the i shop abatwa
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
RHIANNONA 13th Sep
I used to be more than happy to seek out this internet-site.I wanted to thanks in your time for this glorious read!! I positively enjoying each little bit of it and I have you bookmarked to check out new stuff you weblog post.Bookmarking now thanks please consider a follow up post. power sa shop
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
SATURNINA 14th Sep
I think the representation of this article is actually superb one. This is my first visit to your site. Thanks a lot and keep sharing the information. Keep updating the information for all of us. Thanks ZDNet Government was launched as the brand's first industry vertical, with a mission to cater to IT professionals in the public secto I agree with your post. However, do you have any sources I can cite for my paper wheel car com bury
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
TOCCAR 25th Sep
Well welcome, hopefully you can become a vital member of the community and really help to push far ahead of google. Which Im sure the development team would love. This will of course earn you alot points too and get you on the leaders board. z d n e t t h a n k Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas.
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
MCKNIGH 26th Sep
Thanks nice info z d n e t I really liked your current article write more..let me add you to its favorite The articles you have on zdnet s i t e are always so enjoyable to read. Good work and I bookmarked it.
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
MEJIAHA 30th Sep
Fantastic news about the new release.I positively enjoying each little bit of it and I have you b o o k m a r k e d to check out new stuff you weblog post.Im not sure i come to an agreement with you on every level, howevor it absolutely was a good posting, many thanks for taking the time to put up your ideas
0 Votes
+ -
RE: Sony encrypted credit card data, but not user account info
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix