bit-gamer.net

Sony admits personal data was not encrypted

Sony admits personal data was not encrypted

Sony has admitted that the personal data of PSN users was not encrypted.

Sony has admitted that the personal data of PSN users, which may have been illegally accessed in a recent attack on the system, was not encrypted.

Thankfully, credit card information was stored seperately to the personal data and was encrypted. Sony still claims it it is yet to find evidence that the personal or credit card data has been actually accessed or stolen, though the security system surrounding the files were compromised.

'All of the data was protected, and access was restricted both physically and through the perimeter and security of the network,' Sony said in a statement. 'The entire credit card table was encrypted and we have no evidence that credit card data was taken.

'The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.'

Sony is still advising customers to remain vigilant over their accounts, however.

'Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.'

Sony is hoping to restore some PSN services by 3rd May next week, while the UK's Information Commissioner's Office is set to grill the company on its security systems.

Let us know your thoughts in the forums.

34 Comments

Discuss in the forums Reply
Turbotab 28th April 2011, 12:04 Quote
How the hell can a company the size and stature of Sony act like such doughnuts!

I can't believe they aren't PCI-DSS compliant. Maybe Sony got confused about the meaning of PSN, thinking it meant Please Steal Numbers.
Kiytan 28th April 2011, 12:04 Quote
Why the hell would they not encrypt everything? I literally cannot think of a single reason not to.
Jamie 28th April 2011, 12:05 Quote
Don't worry Sony, I'll just cancel my date of birth and get a new one.
Von Lazuli 28th April 2011, 12:11 Quote
IRC logs of a discussion between people using the debug firmware to probe PSN security:
http://pastie.org/private/erihhjd2ccvj0lkmzbtuw

The table might have been encrypted, but it seems like all the calls were sent in plain-text.
nmunky 28th April 2011, 12:20 Quote
Why on earth won't Sony say definitively what data was encrypted and what wasn't? Specifically: were the passwords encrypted? This policy of being as vague as possible is only making the situation much worse.

I'm incredibly unimpressed with the secretive, deceptive nature of their response to this situation.

My hope is that the highly litigious nature of the USA works in everyone's favour for once and as many people as possible sue the living hell out of Sony so that they will finally take this stuff seriously.
lp1988 28th April 2011, 12:21 Quote
The most interesting thing here is that this shows just how much the consoles looks like PC today. on top of that if you can hack one machine you can hack them all as they are all the same.
kempez 28th April 2011, 12:30 Quote
Quote:
Originally Posted by nmunky
Why on earth won't Sony say definitively what data was encrypted and what wasn't? Specifically: were the passwords encrypted? This policy of being as vague as possible is only making the situation much worse.

I'm incredibly unimpressed with the secretive, deceptive nature of their response to this situation.

My hope is that the highly litigious nature of the USA works in everyone's favour for once and as many people as possible sue the living hell out of Sony so that they will finally take this stuff seriously.

Several things. Firstly, Sony have stated what is and what isn't encrypted in their statement, read it. It's pretty clear.

I'm unimpressed with it too, I think everyone is!

However, suing Sony won't do anyone any good imo. The negative publicity will do good. Sony are obviously taking a lot of steps (including physically relocating their data centre, if you read it), so they are taking it seriously. The fact that they have lost money and will continue to lose revenue and good-will from customers will mean that they take it deadly seriously. I can't imagine what a rollicking their shareholders will give them!

They don't mention PCI DSS compliance, but I thought that if you store personal data and credit card information that can be connected, you have to be? Either way, they obviously weren't doing it right.
Uxon 28th April 2011, 12:44 Quote
Ads by Google

ID Theft
Detect and protect against identity theft. Receive alerts, react fast!
www.equifax.co.uk

:D
DXR_13KE 28th April 2011, 13:06 Quote
Seriously?
DwarfKiller 28th April 2011, 13:19 Quote
I was hearing rumours about this and refused to believe it.
If the delayed announcement wasn't enough, this just takes the cake.
John_T 28th April 2011, 13:31 Quote
Quote:
Originally Posted by Jamie
Don't worry Sony, I'll just cancel my date of birth and get a new one.

That made me laugh! :)
DMU_Matt 28th April 2011, 13:35 Quote
Quote:
Originally Posted by Jamie
Don't worry Sony, I'll just cancel my date of birth and get a new one.

That quote is signature worthy, bravo Jamie. Bravo ;)
Paradigm Shifter 28th April 2011, 14:29 Quote
I don't understand why Sony needed all of that personal information in the first place: I've not linked a credit card to XBox Live (nor did I to PSN) but the only info that XBox Live wanted was a Username, Password and E-mail address. Why does Sony need Name, Address and DOB by default? I very nearly didn't sign up at all with all the info they wanted... I should have stuck with my gut instinct.

And with the effort I take to stop the potential of Identity Fraud happening to me, I'd just like to thank Sony for failing to encrypt my personal data and therefore essentially handing it to bad people on a silver platter. Along with the personal information of 70+ million others.

As I was typing this, I just received an e-mail from Sony telling me about the situation. Nice to see they're so on the ball with telling people, as I don't keep tabs on the PSN Blog. Although it would have been impossible to miss this if you were online at all over the last week.

...

As for litigation not doing any good... the bad publicity will hurt Sony, but they'll recover as people have short memories and Sony have a lot of money to spend on advertising. To get Sony to learn not to do it again the penalty for this is going to have to hit them where it hurts: the pocketbook. I think Identity Theft Protection/Insurance for every single PSN user would be a good start. They obviously have our names and addresses and DOBs (hell, so does the whole of the 'dark side' of the internet by now, most likely) and that's all they should need to open these Identity Theft Protection schemes if they're footing the bill.

...

Disclaimer: Paragraphs 2 and 3 of this post contain high levels of sarcasm.
Eggy 28th April 2011, 14:29 Quote
Encrypting personal info e.g. profile information is not very common though.
Coldon 28th April 2011, 14:33 Quote
you do realize that most sites/service dont encrypt personal data. The reason being that the constant need for unencryption each time the data is needed imposes a massive processing cost on the server. The bit-tech forums store all personal data in plain text too, so does every other IBB / vBulletin / SMF forum.

Usually only the account password is hashed, which is why most forums dont email you a new pasowrd but rather a password reset code. Yes, you can reverse engineer the hash to get a text string that creates the same hash but the chances of it being the user's actual password are slim (assuming a good hashing alg is used. Futhermore that "reverse engineered" string is useless for any sites/networks usign a different hash.

This "news" post is ridiculously alarmist and just pulled a FOX news stunt, overreacting to something thats perfectly normal.

My real name, birthday and email address are already available online in a million places, so why would some hacker gaining that info be of any concern to me. Now if the credit card table wasnt encyrpted then you can be really really worried.
Woodspoon 28th April 2011, 14:38 Quote
Lol it just keeps getting worse.
I'm just waiting for the next announcement that says "No credit card details were taken off the system, they were all left unencrypted on a USB key on a train, it's ok though because it might have been found by a cleaner"
themax 28th April 2011, 18:50 Quote
Quote:
Originally Posted by Coldon
you do realize that most sites/service dont encrypt personal data. The reason being that the constant need for unencryption each time the data is needed imposes a massive processing cost on the server. The bit-tech forums store all personal data in plain text too, so does every other IBB / vBulletin / SMF forum.

Usually only the account password is hashed, which is why most forums dont email you a new pasowrd but rather a password reset code. Yes, you can reverse engineer the hash to get a text string that creates the same hash but the chances of it being the user's actual password are slim (assuming a good hashing alg is used. Futhermore that "reverse engineered" string is useless for any sites/networks usign a different hash.

This "news" post is ridiculously alarmist and just pulled a FOX news stunt, overreacting to something thats perfectly normal.

My real name, birthday and email address are already available online in a million places, so why would some hacker gaining that info be of any concern to me. Now if the credit card table wasnt encyrpted then you can be really really worried.

This. ;)
kornedbeefy 28th April 2011, 18:53 Quote
Quote:
Originally Posted by Coldon
you do realize that most sites/service dont encrypt personal data. The reason being that the constant need for unencryption each time the data is needed imposes a massive processing cost on the server. The bit-tech forums store all personal data in plain text too, so does every other IBB / vBulletin / SMF forum.

This "news" post is ridiculously alarmist and just pulled a FOX news stunt, overreacting to something thats perfectly normal.

My real name, birthday and email address are already available online in a million places, so why would some hacker gaining that info be of any concern to me. Now if the credit card table wasnt encyrpted then you can be really really worried.

I recieved a lenghthy email directly from Sony stating all my information may have been compromised including my credit card. They then go on to state I need to keep an eye on my accounts and keep vigil over my credit report. Also providing links to the credit score agencies.

So ya I guess you can call me a little bit alarmed but more so very irritated.
Waynio 28th April 2011, 19:58 Quote
Anonymous said they were gonna give sony the biggest attack ever, so I'm gonna risk assuming this is it & if like they are saying they don't mean any harm towards consumers & only towards sony then maybe they did this to cause a big chunk of mistrust with people who buy sony stuff & any personal data they took they deleted, this is what I like to think anyway, either that or another bad hacker group has capatilised on the situation & gone for it for real for mass id fraud, sure as heck not good either way.

It's been a while since I fired up the ps3 so I'm unsure about ways to pay for adding money to the wallet, is it possible to put money in the account through paypal, I can't remember as it was ages ago, if so I'd have done it through paypal, if not then my old debit card would have been on there which runs out of date this month.
Eggy 28th April 2011, 20:04 Quote
The mail contains a lot of mights and may haves. Sony just took the better safe than sorry approach when they learned that a person/persons penetrated the security around the user accounts. Keeping a cool head appears to be fairly difficult these days.
Fizzban 28th April 2011, 20:22 Quote
Wow. Now that's an admission and a half. Not encrypted? Why the hell not?! No security system is breach-proof. None.

It is good the credit card info was separate and encrypted, but frankly if they hadn't done that much they would be the most irresponsible and incompetent company on the planet.
Sloth 28th April 2011, 20:28 Quote
Quote:
Originally Posted by Fizzban
Wow. Now that's an admission and a half. Not encrypted? Why the hell not?! No security system is breach-proof. None.

It is good the credit card info was separate and encrypted, but frankly if they hadn't done that much they would be the most irresponsible and incompetent company on the planet.
Quote:
Originally Posted by Coldon
you do realize that most sites/service dont encrypt personal data. The reason being that the constant need for unencryption each time the data is needed imposes a massive processing cost on the server. The bit-tech forums store all personal data in plain text too, so does every other IBB / vBulletin / SMF forum.

Usually only the account password is hashed, which is why most forums dont email you a new pasowrd but rather a password reset code. Yes, you can reverse engineer the hash to get a text string that creates the same hash but the chances of it being the user's actual password are slim (assuming a good hashing alg is used. Futhermore that "reverse engineered" string is useless for any sites/networks usign a different hash.

This "news" post is ridiculously alarmist and just pulled a FOX news stunt, overreacting to something thats perfectly normal.

My real name, birthday and email address are already available online in a million places, so why would some hacker gaining that info be of any concern to me. Now if the credit card table wasnt encyrpted then you can be really really worried.
Well I suppose that answers that. Better hope no one gets angry with Bit and tries to hack them!
Fizzban 28th April 2011, 21:12 Quote
Quote:
Originally Posted by Sloth
Well I suppose that answers that. Better hope no one gets angry with Bit and tries to hack them!

There is nothing to be gained by hacking bit-tech or most other forums/sites as there is no money involved and next to no personal info. So I think we are safe :)

But a company that deals in the selling of goods online, like Sony, must robustly secure it's customers details. Usually with the big companys the only thing that is fairly unprotected is the email addresses. Not protecting peoples home addresses, phone numbers ect is shocking. To me it is more than that. It is unacceptable.
Skiddywinks 28th April 2011, 21:59 Quote
Quote:
Originally Posted by Waynio
Anonymous said they were gonna give sony the biggest attack ever, so I'm gonna risk assuming this is it & if like they are saying they don't mean any harm towards consumers & only towards sony then maybe they did this to cause a big chunk of mistrust with people who buy sony stuff & any personal data they took they deleted, this is what I like to think anyway, either that or another bad hacker group has capatilised on the situation & gone for it for real for mass id fraud, sure as heck not good either way.

It's been a while since I fired up the ps3 so I'm unsure about ways to pay for adding money to the wallet, is it possible to put money in the account through paypal, I can't remember as it was ages ago, if so I'd have done it through paypal, if not then my old debit card would have been on there which runs out of date this month.

I don't know what changed recently, but the whole CFM and dev consoles have been around since the PS3, so I don't think this has anything to do with anon.

AFAIK, people were just pirating a **** ton of **** off of the PSN. No one was trying to do anything malicious (like actually stealing any user data). The only reason PSN is offline is because Sony have turned it off, not because it got brain****ed.
Sloth 28th April 2011, 22:21 Quote
Quote:
Originally Posted by Fizzban
There is nothing to be gained by hacking bit-tech or most other forums/sites as there is no money involved and next to no personal info. So I think we are safe :)

But a company that deals in the selling of goods online, like Sony, must robustly secure it's customers details. Usually with the big companys the only thing that is fairly unprotected is the email addresses. Not protecting peoples home addresses, phone numbers ect is shocking. To me it is more than that. It is unacceptable.
To be fair, credit card numbers were encrypted so there's no direct money involved with the PSN hack either. No one's going to be making charges with just a home address and phone number.

The point isn't just Bit, how many other sites with personal information store your data in similar fashions? What are "the big companies"? Does Amazon encrypt all of my data? Blizzard? Valve? Everywhere I've made a purchase online, do they all encrypt my data? And are they any more secure than Sony or have they just not had a similar attack (yet)?
Fizzban 28th April 2011, 22:36 Quote
Quote:
Originally Posted by Sloth
To be fair, credit card numbers were encrypted so there's no direct money involved with the PSN hack either. No one's going to be making charges with just a home address and phone number.

The point isn't just Bit, how many other sites with personal information store your data in similar fashions? What are "the big companies"? Does Amazon encrypt all of my data? Blizzard? Valve? Everywhere I've made a purchase online, do they all encrypt my data? And are they any more secure than Sony or have they just not had a similar attack (yet)?

In my previous post I mentioned that is was good Sony had encrypted credit card details. Moving on.

Ah.. it is difficult for us to know until there is an issue tbh. I know with play.com that they recently had an attack, which to their credit they warned us about via email explaining exactly what the score was. They seem to take security very seriously and the only thing compromised was the emails, which was to do with the provider they were using. All critical information was on a separate system and encrypted as I understand it.

Companys like Amazon, Play.com, Ebay, Paypal, Valve ect have every important piece of info about us pretty much. They cannot afford to have these things compromised, and put a hell of a lot of effort into protecting them. Why? If they didn't customers would loose faith and leave. We (the world) use these companys because they try hard to protect our details. Not because they care, but because it is their livelihood.

As far as I can see all Sony was worried about was protecting their own ass by not scaring folks over something that might have been minimal. Rather than tell us the score and put our minds to rest like Play.com did. Others here will disagree with me and basically have done already. But I can't help but feel Sony has failed their customers twice on the very same issue. Once by not preparing enough for this eventuality, and two by waiting a week before they got around to informing their customers of the severity. Would have taken 10 mins to put together a short message warning of the possible implications, however unlikely, yet they did F-All.

It is shameful customer care, but this all just my opinion *cue the people who think Sony were right to say nothing*
Sloth 28th April 2011, 22:59 Quote
Quote:
Originally Posted by Fizzban
In my previous post I mentioned that is was good Sony had encrypted credit card details. Moving on.

Ah.. it is difficult for us to know until there is an issue tbh. I know with play.com that they recently had an attack, which to their credit they warned us about via email explaining exactly what the score was. They seem to take security very seriously and the only thing compromised was the emails, which was to do with the provider they were using. All critical information was on a separate system and encrypted as I understand it.

Companys like Amazon, Play.com, Ebay, Paypal, Valve ect have every important piece of info about us pretty much. They cannot afford to have these things compromised, and put a hell of a lot of effort into protecting them. Why? If they didn't customers would loose faith and leave. We (the world) use these companys because they try hard to protect our details. Not because they care, but because it is their livelihood.

As far as I can see all Sony was worried about was protecting their own ass by not scaring folks over something that might have been minimal. Rather than tell us the score and put our minds to rest like Play.com did. Others here will disagree with me and basically have done already. But I can't help but feel Sony has failed their customers twice on the very same issue. Once by not preparing enough for this eventuality, and two by waiting a week before they got around to informing their customers of the severity. Would have taken 10 mins to put together a short message warning of the possible implications, however unlikely, yet they did F-All.

It is shameful customer care, but this all just my opinion *cue the people who think Sony were right to say nothing*
PSN sales will almost certainly plummet after this as no one will want to give Sony their information anymore and the more die-hard ones out there might skip buying Sony hardware entirely just because it uses PSN, or they don't want to support the company. This will not be financially pleasant for Sony, it's their livelihood just the same and it makes sense for them to have been protecting it in ways similar to any other company holding similar information, which is why I'm now very curious whether they're following the industry standard or not.

For the PR issue I've got no opinion. On one side it seems obvious to immediately put out a warning of the potential for data loss, but on the other hand I know first hand how people can take words such as might/potential/possible/chance and turn them into will/have/did/absolutely. Say there's been an attack and a potential for stolen data and you'll see articles two minutes later headlined "PSN USER DATA STOLEN". Damned if you do, damned it you don't.
Waynio 28th April 2011, 23:03 Quote
Quote:
Originally Posted by Skiddywinks
I don't know what changed recently, but the whole CFM and dev consoles have been around since the PS3, so I don't think this has anything to do with anon.

AFAIK, people were just pirating a **** ton of **** off of the PSN. No one was trying to do anything malicious (like actually stealing any user data). The only reason PSN is offline is because Sony have turned it off, not because it got brain****ed.
:) I was refering to that weird v for vendetta video featuring stephen hawkins apparrently by anon recently posted which got featured on bit recently, was rather weird & was thretting of a masive attack on sony :).

I grasp the fact sony turned it off once they realised something bad happened.
Quote:
Originally Posted by Fizzban
In my previous post I mentioned that is was good Sony had encrypted credit card details. Moving on.

Ah.. it is difficult for us to know until there is an issue tbh. I know with play.com that they recently had an attack, which to their credit they warned us about via email explaining exactly what the score was. They seem to take security very seriously and the only thing compromised was the emails, which was to do with the provider they were using. All critical information was on a separate system and encrypted as I understand it.

Companys like Amazon, Play.com, Ebay, Paypal, Valve ect have every important piece of info about us pretty much. They cannot afford to have these things compromised, and put a hell of a lot of effort into protecting them. Why? If they didn't customers would loose faith and leave. We (the world) use these companys because they try hard to protect our details. Not because they care, but because it is their livelihood.

As far as I can see all Sony was worried about was protecting their own ass by not scaring folks over something that might have been minimal. Rather than tell us the score and put our minds to rest like Play.com did. Others here will disagree with me and basically have done already. But I can't help but feel Sony has failed their customers twice on the very same issue. Once by not preparing enough for this eventuality, and two by waiting a week before they got around to informing their customers of the severity. Would have taken 10 mins to put together a short message warning of the possible implications, however unlikely, yet they did F-All.

It is shameful customer care, but this all just my opinion *cue the people who think Sony were right to say nothing*

I agree Fizzban & remember when play.com contacted me of what happened also, sony should have been on to informing every user instantly when they realised they had been compromised at the very least to keep customers in the picture, I'd prefer psn if they add a paypal option for adding money to the account, don't like having cards tied to any places so prefer if I have to to just have it tied to 1 place, only added money to it once as well the prices were crazy imo for pretty much everything in comparison to pc games stuff.
thehippoz 29th April 2011, 20:36 Quote
maybe they were getting used to dealing with the mental midget honeypot that is associated with console gamers, they decided to hire some to run the network (stickies with passwords all over the place, in the garbage and a lol attitude without actually ever venturing into the shoes of the guys they are trying to stop)

anyone notice prince harry was looking at the princess tits before the vows?
ciri28 30th April 2011, 05:11 Quote
Sony has a history of arrogance, there for I am not surprised that they did not make security of their customer's information a priority.
Eggy 30th April 2011, 09:01 Quote
Quote:
Originally Posted by ciri28
Sony has a history of arrogance, there for I am not surprised that they did not make security of their customer's information a priority.
Bohoo, bet they killed your pet as well. They are a company, their goal is to make money. Not a single company is in it for charity.
l3v1ck 1st May 2011, 22:19 Quote
Would Sony like a slice of Epic with that Fail?
Saivert 2nd May 2011, 10:32 Quote
Boycott Sony
Mighty Yoshimi 2nd May 2011, 17:50 Quote
I don't really care tbh IF they have my card details and max out my Ccard then the bank will just sort it out.

"United Kingdom

In the UK, credit cards are regulated by the Consumer Credit Act 1974 (amended 2006). This provides a number of protections and requirements.

Any misuse of the card, unless deliberately criminal on the part of the cardholder, must be refunded by the merchant or card issuer."
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums