An update on the Sony breach

Sony just posted an update about what they've learned about the recent hack that penetrated their PlayStation Network and Qirocity service. Here's part of their post:

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

So it looks like hackers didn't get any credit card information in this particular attack. That's good. But they got lots of other personal information. That's bad.

Businesses really should be encrypting all sensitive information, not just credit card numbers, and this is a good example of why this is the case.

Leave a Reply

Your email address will not be published. Required fields are marked *