• Sony: Credit Card Data Safe - No Signs of Unauthorised Transactions

    By now everyone knows about the security breach that hit the PlayStation Network this past week. What started as a simple outage was soon disclosed as one of the largest incidents of data theft to hit the world of online gaming. The biggest concern on everyone's mind has been the safety of their credit card details stored with the service. So is there any need to cancel your credit card?

    Sony are ensuring customers that all credit card was encrypted on submission and should not be vulnerable to attack. In an an FAQ posted on the official PlayStation blog:

    "Q: Was my personal data encrypted?

    A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

    Despite the encryption, Sony are not ruling out the possibility of data theft:

    "While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code, sometimes called a CVC or CSC number) and expiration date may have been obtained."

    Naturally, if anyone contacts you in the near future requesting personal or sensitive information purporting to be a representative of Sony, run away as fast as you can!

    In light of the breach, credit card companies including the likes of Wells Fargo, American Express and MasterCard have, according to business news site Bloomberg, stated that they are monitoring transactions closely and have not come across any unauthorised activity related to the incident.

    Comments 4 Comments
    1. duke0102's Avatar
      duke0102 -
      "behind a very sophisticated security system"
      I wonder if they use the same unbeatable security with the PS3 FW lol
      I don't understand why they wouldn't go the extra mile by encrypting the user data as well
    1. bobbintb's Avatar
      bobbintb -
      "on submission"? i wonder what they mean by that. its common knowledge that the console itself sends everything, including cc numbers, to psn unencrypted.
    1. iLOVENZB's Avatar
      iLOVENZB -
      Sony, or the person in charge of protecting the physical security of information assets are just careless. After going through my class notes they failed to follow the basic principle of network security, proper encryption for starters and obviously a proper network structure and risk management team.

      Anyone know how the PSN is actually structured? This appears to be the closest representation:

      Appears they exploited the firewall in order to get into the database.
    1. megabyteme's Avatar
      megabyteme -
      Quote Originally Posted by bobbintb View Post
      "on submission"? i wonder what they mean by that. its common knowledge that the console itself sends everything, including cc numbers, to psn unencrypted.
      Sending the info encrypted, and keeping their database encrypted are two different things. If the user data was secure in their databases, there would be no problems now. They were sloppy. They felt invincible. They were wrong. AND they have a SERIOUS ass-rape coming, too.