Sony encrypted credit card data, but not user account info

Sony encrypted credit card data, but not user account info

Summary: The good news is your PSN credit card information was encrypted. The bad news is your user account info wasn't. That's not all, though - Sony still won't give us a straight answer on whether the credit card info was taken or what encryption has been used.

SHARE:

There's more good news and bad news for users of Sony's PlayStation Network and Qriocity streaming service: The good news is that your credit card information is encrypted, and Sony says there's no evidence it was taken. The bad news is that your personal data wasn't encrypted. What's more, Sony's latest attempt to quell the furor surrounding this debacle is just raising more strident questions.

Posting to the official PlayStation blog, Sony Computer Entertainment Patrick Seybold offered a canned question and answer list highlighting more details of the recent security failure that led to the exposure of 77 million PlayStation Network user accounts.

"The entire credit card table was encrypted and we have no evidence that credit card data was taken," said Sony.

This is the slimmest amount of good news for PlayStation Network users, but it alone raises very serious concerns, since Sony has yet to provide any details on what sort of encryption has been used to protect that credit card information.

As a result, PlayStation Network users have absolutely no idea how safe their credit card information may be.

But the bad news keeps rolling in:

"The personal data table, which is a separate data set, was not encrypted," Sony notes, "but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

A very sophisticated security system that ultimately failed, making it useless.

Why Sony failed to encrypt user account data is a question that security experts have already begun to ask. Along with politicians both in the United States and abroad.

Chances are Sony's not going to have an answer that's going to please anyone.

Sony added that they're implementing a system software update that will require all PlayStation Network users to change their passwords before their can access the system again.

When will that be? Sony is sticking to an earlier estimate that it will be back up and running a week from this past Wednesday. "However, we want to be very clear that we will only restore operations when we are confident that the network is secure."

Speaking as one of those 77 million PlayStation Network users, all I have to say, Sony, is that you damn well better be.

Related:

Topics: Hardware, Mobility, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • should have used Linux and OSS

    and no breach would be possible
    Linux Geek
    • RE: Sony encrypted credit card data, but not user account info

      @Linux Geek If there was a "Flagged: Unbelievable Moron" option I'd use it here.

      There is absolutely NO information on what their backend systems run on. NOTHING.

      But here you are, spreading pro-Linux FUD. Choke on a
      samalie
    • RE: Sony encrypted credit card data, but not user account info

      @Linux Geek Funny thing is I seem to recall one of you Linux Heads saying that they WERE running Linux... D'OH!
      athynz
    • RE: Sony encrypted credit card data, but not user account info

      @Linux Geek

      hey moron sony uses Linux on the console and servers and opengl and it still got hacked into
      Viper589
    • According to Netcraft

      @Linux Geek <br>they look to be running Apache on Linux.<br><br>Maybe that was the problem from the begining?

      Maybe we should ask that Linux Advocate guy?
      Bill Pharaoh
    • RE: Sony encrypted credit card data, but not user account info

      @Linux Geek

      Maybe they should have not hired arrogant Linux fanboys like yourself who are naive enough to think that Linux is impenetrable and can therefore ignore something as trivial as security.
      jimsj
  • Ars Technica is reporting...

    ...some of their users are reporting fraudulent charges on their cards--and those cards were linked to PSN.

    http://arstechnica.com/gaming/news/2011/04/ars-readers-report-credit-card-fraud-blame-sony.ars
    wolf_z
    • Meh

      @wolf_z There are 77 million PSN users. I'm pretty sure one can get some numbers on the average amount of CC fraud and realize that people's cards get fraudulent charges all the time. There is no reason to jump to the conclusion it's because of the PSN hack, as 10 will get you 20, anyone using their CC on PSN uses it on any number of other online services.
      His_Shadow
      • RE: Sony encrypted credit card data, but not user account info

        @His_Shadow

        I agree with you. There is no evidence at this point to relate one or two dodgy credit credit purchases to the other debacle. Credit cards are fraudulently accessed all the time. It may well simply be a coincidence.
        Wakemewhentrollsgone
  • RE: Sony encrypted credit card data, but not user account info

    It's been about 4 years since I changed my master password and this gave me a good reason to.

    My account name is different on PSN than 99% of the other sites I visit so I'm pretty safe, regardless.

    Already canceled the card I had on file with them when the network first went down (I was cautious).

    Get it back up already, I want to redeem some Rock Band 3 codes.
    Droid101
    • RE: Sony encrypted credit card data, but not user account info

      @Droid101

      I want to frag some noobs in SOCOM4!!
      Aeon Locke
  • RE: Sony encrypted credit card data, but not user account info

    Does this mean they were storing passwords in plain text???

    Unix has been storing passwords as one-way hased values since the mid 70s.

    If its true Sony wasnt doing that then someone needs firing...
    jeffpk
    • RE: Sony encrypted credit card data, but not user account info

      @jeffpk

      I, too, am somewhat baffled by this. It makes no sense to me why user information was not also encrypted. This is not my industry, but I would have thought that it would be done as a matter of course. Can anyone explain?
      Wakemewhentrollsgone
      • My guess is that your user info

        @ptorning
        is used throughout parts of Sony, while credit card info is specific to the site alone, so unencrypted makes it easier to access?
        Bill Pharaoh
      • RE: Sony encrypted credit card data, but not user account info

        @Bill Pharoah

        Thankyou. That makes sense.
        Wakemewhentrollsgone