Breach, Data Security, Vulnerability Management

Sony confirms PlayStation Network cards were encrypted

A Sony spokesman said Thursday that the credit card numbers belonging to millions of PlayStation Network (PSN) and Qriocity users were encrypted when they potentially were compromised by hackers.

While Sony has not confirmed that card information was stolen in the attack, which happened between April 17 and 19, the company was encrypting all of the data when the breach occurred.

"The entire credit card table was encrypted and we have no evidence that credit card data was taken," according to a question-and-answer document posted by Nick Caplin, head of communications for Sony Computer Entertainment Europe.

Left unencrypted were other assets, such as usernames, physical addresses, email addresses, birth dates and PSN/Qriocity credentials -- all of which were compromised. The hackers also may have obtained purchase histories, billing addresses and password challenge answers.

Some 77 million registered users were affected by the breach, according to Sony, making it one of the largest reported data-leakage incidents of all time.

Caplin said Sony "cannot rule out the possibility" that card numbers and expiration dates -- but not security codes, such as CVC numbers -- were exposed. As a result, the company advised gamers to monitor their financial account statements.

Even if the card numbers went untouched, the hackers got away with valuable information to use in spear phishing attacks that could net them even more precious data, such as credit card, tax identification or Social Security numbers, experts have said.

PSN and Qriocity remain down, and Sony promises enhanced security when the services return online, including "moving our network infrastructure and data center to a new, more secure location." In addition, users will be required to change their passwords when the services return, slated for sometime next week.

Qriocity is Sony's music, games, book and video on-demand service.

Meanwhile, Sony is facing its first legal challenge after a lawsuit was filed Wednesday in federal court in San Francisco. The complaint contends that the company waited too long to tell users about the breach, which placed them at risk of credit card fraud.

In addition, Connecticut Attorney General Richard Blumenthal has written a letter to Sony, asking the company why it waited nearly a week to notify users about the breach.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.