Sony encrypted credit card data, but not user account info

The good news is your PSN credit card information was encrypted. The bad news is your user account info wasn't. That's not all, though - Sony still won't give us a straight answer on whether the credit card info was taken or what encryption has been used.
Written by Peter Cohen, Inactive

There's more good news and bad news for users of Sony's PlayStation Network and Qriocity streaming service: The good news is that your credit card information is encrypted, and Sony says there's no evidence it was taken. The bad news is that your personal data wasn't encrypted. What's more, Sony's latest attempt to quell the furor surrounding this debacle is just raising more strident questions.

Posting to the official PlayStation blog, Sony Computer Entertainment Patrick Seybold offered a canned question and answer list highlighting more details of the recent security failure that led to the exposure of 77 million PlayStation Network user accounts.

"The entire credit card table was encrypted and we have no evidence that credit card data was taken," said Sony.

This is the slimmest amount of good news for PlayStation Network users, but it alone raises very serious concerns, since Sony has yet to provide any details on what sort of encryption has been used to protect that credit card information.

As a result, PlayStation Network users have absolutely no idea how safe their credit card information may be.

But the bad news keeps rolling in:

"The personal data table, which is a separate data set, was not encrypted," Sony notes, "but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

A very sophisticated security system that ultimately failed, making it useless.

Why Sony failed to encrypt user account data is a question that security experts have already begun to ask. Along with politicians both in the United States and abroad.

Chances are Sony's not going to have an answer that's going to please anyone.

Sony added that they're implementing a system software update that will require all PlayStation Network users to change their passwords before their can access the system again.

When will that be? Sony is sticking to an earlier estimate that it will be back up and running a week from this past Wednesday. "However, we want to be very clear that we will only restore operations when we are confident that the network is secure."

Speaking as one of those 77 million PlayStation Network users, all I have to say, Sony, is that you damn well better be.


Editorial standards