Sony admits personal data was not encrypted
Sony has admitted that the personal data of PSN users was not encrypted.
Thankfully, credit card information was stored seperately to the personal data and was encrypted. Sony still claims it it is yet to find evidence that the personal or credit card data has been actually accessed or stolen, though the security system surrounding the files were compromised.
'All of the data was protected, and access was restricted both physically and through the perimeter and security of the network,' Sony said in a statement. 'The entire credit card table was encrypted and we have no evidence that credit card data was taken.
'The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.'
Sony is still advising customers to remain vigilant over their accounts, however.
'Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.'
Sony is hoping to restore some PSN services by 3rd May next week, while the UK's Information Commissioner's Office is set to grill the company on its security systems.
Let us know your thoughts in the forums.
Previous Article
34 Comments
Discuss in the forums ReplyI can't believe they aren't PCI-DSS compliant. Maybe Sony got confused about the meaning of PSN, thinking it meant Please Steal Numbers.
http://pastie.org/private/erihhjd2ccvj0lkmzbtuw
The table might have been encrypted, but it seems like all the calls were sent in plain-text.
I'm incredibly unimpressed with the secretive, deceptive nature of their response to this situation.
My hope is that the highly litigious nature of the USA works in everyone's favour for once and as many people as possible sue the living hell out of Sony so that they will finally take this stuff seriously.
Several things. Firstly, Sony have stated what is and what isn't encrypted in their statement, read it. It's pretty clear.
I'm unimpressed with it too, I think everyone is!
However, suing Sony won't do anyone any good imo. The negative publicity will do good. Sony are obviously taking a lot of steps (including physically relocating their data centre, if you read it), so they are taking it seriously. The fact that they have lost money and will continue to lose revenue and good-will from customers will mean that they take it deadly seriously. I can't imagine what a rollicking their shareholders will give them!
They don't mention PCI DSS compliance, but I thought that if you store personal data and credit card information that can be connected, you have to be? Either way, they obviously weren't doing it right.
ID Theft
Detect and protect against identity theft. Receive alerts, react fast!
www.equifax.co.uk
:D
If the delayed announcement wasn't enough, this just takes the cake.
That made me laugh! :)
That quote is signature worthy, bravo Jamie. Bravo ;)
And with the effort I take to stop the potential of Identity Fraud happening to me, I'd just like to thank Sony for failing to encrypt my personal data and therefore essentially handing it to bad people on a silver platter. Along with the personal information of 70+ million others.
As I was typing this, I just received an e-mail from Sony telling me about the situation. Nice to see they're so on the ball with telling people, as I don't keep tabs on the PSN Blog. Although it would have been impossible to miss this if you were online at all over the last week.
...
As for litigation not doing any good... the bad publicity will hurt Sony, but they'll recover as people have short memories and Sony have a lot of money to spend on advertising. To get Sony to learn not to do it again the penalty for this is going to have to hit them where it hurts: the pocketbook. I think Identity Theft Protection/Insurance for every single PSN user would be a good start. They obviously have our names and addresses and DOBs (hell, so does the whole of the 'dark side' of the internet by now, most likely) and that's all they should need to open these Identity Theft Protection schemes if they're footing the bill.
...
Disclaimer: Paragraphs 2 and 3 of this post contain high levels of sarcasm.
Usually only the account password is hashed, which is why most forums dont email you a new pasowrd but rather a password reset code. Yes, you can reverse engineer the hash to get a text string that creates the same hash but the chances of it being the user's actual password are slim (assuming a good hashing alg is used. Futhermore that "reverse engineered" string is useless for any sites/networks usign a different hash.
This "news" post is ridiculously alarmist and just pulled a FOX news stunt, overreacting to something thats perfectly normal.
My real name, birthday and email address are already available online in a million places, so why would some hacker gaining that info be of any concern to me. Now if the credit card table wasnt encyrpted then you can be really really worried.
I'm just waiting for the next announcement that says "No credit card details were taken off the system, they were all left unencrypted on a USB key on a train, it's ok though because it might have been found by a cleaner"
This. ;)
I recieved a lenghthy email directly from Sony stating all my information may have been compromised including my credit card. They then go on to state I need to keep an eye on my accounts and keep vigil over my credit report. Also providing links to the credit score agencies.
So ya I guess you can call me a little bit alarmed but more so very irritated.
It's been a while since I fired up the ps3 so I'm unsure about ways to pay for adding money to the wallet, is it possible to put money in the account through paypal, I can't remember as it was ages ago, if so I'd have done it through paypal, if not then my old debit card would have been on there which runs out of date this month.
It is good the credit card info was separate and encrypted, but frankly if they hadn't done that much they would be the most irresponsible and incompetent company on the planet.
There is nothing to be gained by hacking bit-tech or most other forums/sites as there is no money involved and next to no personal info. So I think we are safe :)
But a company that deals in the selling of goods online, like Sony, must robustly secure it's customers details. Usually with the big companys the only thing that is fairly unprotected is the email addresses. Not protecting peoples home addresses, phone numbers ect is shocking. To me it is more than that. It is unacceptable.
I don't know what changed recently, but the whole CFM and dev consoles have been around since the PS3, so I don't think this has anything to do with anon.
AFAIK, people were just pirating a **** ton of **** off of the PSN. No one was trying to do anything malicious (like actually stealing any user data). The only reason PSN is offline is because Sony have turned it off, not because it got brain****ed.
The point isn't just Bit, how many other sites with personal information store your data in similar fashions? What are "the big companies"? Does Amazon encrypt all of my data? Blizzard? Valve? Everywhere I've made a purchase online, do they all encrypt my data? And are they any more secure than Sony or have they just not had a similar attack (yet)?
In my previous post I mentioned that is was good Sony had encrypted credit card details. Moving on.
Ah.. it is difficult for us to know until there is an issue tbh. I know with play.com that they recently had an attack, which to their credit they warned us about via email explaining exactly what the score was. They seem to take security very seriously and the only thing compromised was the emails, which was to do with the provider they were using. All critical information was on a separate system and encrypted as I understand it.
Companys like Amazon, Play.com, Ebay, Paypal, Valve ect have every important piece of info about us pretty much. They cannot afford to have these things compromised, and put a hell of a lot of effort into protecting them. Why? If they didn't customers would loose faith and leave. We (the world) use these companys because they try hard to protect our details. Not because they care, but because it is their livelihood.
As far as I can see all Sony was worried about was protecting their own ass by not scaring folks over something that might have been minimal. Rather than tell us the score and put our minds to rest like Play.com did. Others here will disagree with me and basically have done already. But I can't help but feel Sony has failed their customers twice on the very same issue. Once by not preparing enough for this eventuality, and two by waiting a week before they got around to informing their customers of the severity. Would have taken 10 mins to put together a short message warning of the possible implications, however unlikely, yet they did F-All.
It is shameful customer care, but this all just my opinion *cue the people who think Sony were right to say nothing*
For the PR issue I've got no opinion. On one side it seems obvious to immediately put out a warning of the potential for data loss, but on the other hand I know first hand how people can take words such as might/potential/possible/chance and turn them into will/have/did/absolutely. Say there's been an attack and a potential for stolen data and you'll see articles two minutes later headlined "PSN USER DATA STOLEN". Damned if you do, damned it you don't.
I grasp the fact sony turned it off once they realised something bad happened.
I agree Fizzban & remember when play.com contacted me of what happened also, sony should have been on to informing every user instantly when they realised they had been compromised at the very least to keep customers in the picture, I'd prefer psn if they add a paypal option for adding money to the account, don't like having cards tied to any places so prefer if I have to to just have it tied to 1 place, only added money to it once as well the prices were crazy imo for pretty much everything in comparison to pc games stuff.
anyone notice prince harry was looking at the princess tits before the vows?
"United Kingdom
In the UK, credit cards are regulated by the Consumer Credit Act 1974 (amended 2006). This provides a number of protections and requirements.
Any misuse of the card, unless deliberately criminal on the part of the cardholder, must be refunded by the merchant or card issuer."