Sony Says Credit Card Data Was Encrypted In PlayStation Network Hack5:59 PM EST Thu. Apr. 28, 2011
While Sony confirmed late Wednesday that all stored credit card information was encrypted on its PlayStation Network and Qriosity Services, and reiterated that there was no evidence that the data was taken, security experts contend that the stolen information could still be used to harm many users.
"All of the data was protected, and access was restricted both physically and through the perimeter and security of the network," said Patrick Seybold, senior director of corporate communications and social media for Sony, in a company update late Wednesday. "The entire credit card table was encrypted and we have no evidence that credit card data was taken."
The confirmation follows in the wake a massive external hack occurring against the Sony PlayStation Network and Qriosity Services, which compromised upwards of 70 million customer records last week. Following the breach, the Sony executive team waited several days to disclose the hack and until a week later to reveal that personal customer information had been exposed.
However, Seybold said that the data table for customer's personal information, which resided on a separate data set, was not encrypted, but added that it was "behind a very sophisticated security system," that was breached in the malicious attack. That data table included users' addresses, e-mail addresses, date of birth and other personally identifying information.
Seybold added that while the credit card data was encrypted, "we cannot rule out the possibility" of theft.
"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," he said.
Sony's update attempted to clarify any confusion around the company's statements last Tuesday regarding stolen information that may have included credit card numbers, as well as purchase history, billing addresses, and security answers used to change passwords that would lead users to believe that the company was storing all of its sensitive information unencrypted.
Meanwhile, Sony has been silent about whether the unencrypted data table housing user's personal information also contained customers' user names, passwords and the answers to secret questions to change passwords and access their accounts.
However, experts maintain that even seemingly innocuous information, such as user names and passwords, are routinely used by hackers to infiltrate other sensitive accounts and conduct identity theft and other malicious activities.
Security solution providers say that in light of 70 million compromised records, there is a strong likelihood that a large number of customers are using the same user names and passwords for other accounts such as banking, PayPal or Amazon, which would give attackers hacking into one account easy access to any others that relied on the same login credentials.
"Just having the address, e-mail address full name zip and date of birth, you can get a lot of accounts opened up," said Leo Bletnitsky, CEO of Las Vegas Med IT, based in Las Vegas, Nev. "You have to assume that organizations are going to have breaches, ideally you have different passwords for different organizations."
Next: Experts Say Sony's Security Inadequate
Meanwhile, security experts contend that even if Sony had been employing standard security products such as a firewall and encryption, its security practices significantly missed the mark in adequately protecting its customer's information, and there was little ability to tell if they had passed compliance audits.
"There is abundant technology to prevent this breach and/or limit its scope, but Sony chose not to implement it," said Phil Lieberman, CEO of Lieberman Software, in an e-mail. "Putting this much data in a single database that is publicly extractable with no limits is shameful given what is available today to protect against this type of loss."
Lieberman added that compliance regulations such as PCI often lack any kind of real penalties or consequences for big companies that fall short of meeting the mandated security requirements.
"The loss of your personal information will most likely be nothing more than a 'cost of doing business' for this type of company—you will take the pain and they will take a hit to their reputation (maybe)," he said. "It is for this reason we are fundamentally opposed to hiding PCI results as well as SAS70 reports from the public. If you don’t' have access to the full internal security report of a vendor you are dealing with, you should expect that they have little to no real security and that your data will probably be compromised."