Page 1 of 2
While Sony confirmed late Wednesday that all stored credit card information was encrypted on its PlayStation Network and Qriosity Services, and reiterated that there was no evidence that the data was taken, security experts contend that the stolen information could still be used to harm many users.
"All of the data was protected, and access was restricted both physically and through the perimeter and security of the network," said Patrick Seybold, senior director of corporate communications and social media for Sony, in a company update late Wednesday. "The entire credit card table was encrypted and we have no evidence that credit card data was taken."
The confirmation follows in the wake a massive external hack occurring against the Sony PlayStation Network and Qriosity Services, which compromised upwards of 70 million customer records last week. Following the breach, the Sony executive team waited several days to disclose the hack and until a week later to reveal that personal customer information had been exposed.
However, Seybold said that the data table for customer's personal information, which resided on a separate data set, was not encrypted, but added that it was "behind a very sophisticated security system," that was breached in the malicious attack. That data table included users' addresses, e-mail addresses, date of birth and other personally identifying information.
Seybold added that while the credit card data was encrypted, "we cannot rule out the possibility" of theft.
"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained," he said.
Sony's update attempted to clarify any confusion around the company's statements last Tuesday regarding stolen information that may have included credit card numbers, as well as purchase history, billing addresses, and security answers used to change passwords that would lead users to believe that the company was storing all of its sensitive information unencrypted.
Meanwhile, Sony has been silent about whether the unencrypted data table housing user's personal information also contained customers' user names, passwords and the answers to secret questions to change passwords and access their accounts.
However, experts maintain that even seemingly innocuous information, such as user names and passwords, are routinely used by hackers to infiltrate other sensitive accounts and conduct identity theft and other malicious activities.
Security solution providers say that in light of 70 million compromised records, there is a strong likelihood that a large number of customers are using the same user names and passwords for other accounts such as banking, PayPal or Amazon, which would give attackers hacking into one account easy access to any others that relied on the same login credentials.
"Just having the address, e-mail address full name zip and date of birth, you can get a lot of accounts opened up," said Leo Bletnitsky, CEO of Las Vegas Med IT, based in Las Vegas, Nev. "You have to assume that organizations are going to have breaches, ideally you have different passwords for different organizations."