As Sony’s PSN breach saga continues, the company today clarified some of the answers given around the incident recently. According to Sony there is no evidence that indicates credit card information was obtained.
This is a topic of much concern by the PS3 community as specific details around what was exactly breached haven’t been revealed previously. Today Sony posted another Q&A, which is fairly detailed.
According to Sony the entire database was secured both physically and through the network. The credit card information was totally encrypted and stored on a separate database table from the personal data.
The personal data was stored on a separate table, which was not encrypted but was behind a “very sophisticated security system.” The hacker was able to breach the table with the personal data. There is no evidence to indicate that the credit card table was breached.
For those unfamiliar with how databases work – a DB contains multiple tables and schemas. Typically a secured table will require a user to have special rights to access the schema and objects. While the other tables may be available to the authorized login ID.
In other words, if a hacker was able to breach the personal data table by gaining access to a general user ID or even the app ID, they would not be able to even see the secured credit card table. A DBA must add those IDs in order for someone to view the table and its contents. In addition, the table was totally encrypted and can only be decrypted by exercising the database with DBA authority.
Chances are very good that the hackers were not able to even access the credit card table as this requires phishing information from an actual person (DBA). This is also backed by BBC’s Technology Correspondent, Rory Cellan-Jones, who revealed that on the record, Sony is not confirming anything. However, off the record the company is saying that credit card details on the PlayStation Network have not been compromised.
Various companies deal with similar situations differently. There have been less scrupulous companies in the past that may not even acknowledge a breach in security until questioned externally and even then, the company may just announce a formal investigation with no follow up. Typically, in such a scenario months may go by with the consumer clueless as to the potential security risks, in turn resulting in low media exposure.
Sony may have exasperated the situation by dramatically scaring consumers of a potential credit card breach without a 100 percent assessment. However, full disclosure is definitely the best policy in this type of situation, as it will also cover Sony in any unlikely case.