Thursday, April 28, 2011

Sony says hacked PlayStation Network credit card data was encrypted

Sony said that all credit card information on its hacked PlayStation Network was protected with encryption. As the outage for the online game service for the PlayStation 3 entered its eighth day, the company sought to reassure angry users.

Sony is telling PlayStation users that it had encrypted the credit card data that hackers may have stolen, reducing but not eliminating the chances that thieves could have used the information.

Sony Corp. said in a blog post Wednesday that while it had no direct evidence the data was even taken, it cannot rule out the possibility. It did not say how strong the encryption was, and it is possible for hackers to decipher files that are weakly encrypted — it's just more difficult.

"All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken," the company wrote in its blog post.

Users were angry that Sony took six days to inform them that their personal data had been stolen, but the exact nature of the credit card theft isn’t precisely known. I was among those 77 million PSN and Qriocity users who had my personal data stolen, and I received an apologetic email from Sony yesterday. Sony clearly has a long way to go to earn back the trust of gamers, and it seems to be aware that communicating clearly and quickly has to be its priority right now.

Patrick Seybold, spokesman for Sony, said in an updated statement that the “entire credit card table was encrypted and we have no evidence that credit card data was taken.” The personal data, such as names and emails, was not encrypted. Sony said it cannot rule out the possibility that credit card information was taken. If it was, then then card number and date of issuance was likely taken, but not the credit card security number on the back of a card.

“First off, we want to again thank you for your patience,” Seybold said. “We know that the PlayStation Network and Qriocity outage has been frustrating for you. We know you are upset, and so we are taking steps to make our services safer and more secure than ever before. We sincerely regret any inconvenience or concern this outage has caused, and rest assured that we’re going to get the services back online as quickly as we can.”

Sony has hired a “recognized technology security firm” to conduct a full investigation of the “malicious attack” against the PSN. Sony said it won’t ask anyone for their credit card, social security or other personally identifiable information. Sony suggests users that users log on and change the password once the PSN service comes back, presumably within a week. Consumers can visit Sony’s support site for more notices.

Sony says its is adding several measures to improve the security of the PSN once it comes back online, including moving the company’s network infrastructure and data center to a new more secure location.

Sony says that of the 77 million PlayStation Network accounts, about 36 million are in the U.S. and elsewhere in the Americas, 32 million in Europe and 9 million in Asia, mostly in Japan.