Sony: there is no evidence of a credit card data breach

April 27, 2011

Sony: there is no evidence of a credit card data breach As Sony’s PSN breach saga continues, the company today clarified some of the answers given around the incident recently. According to Sony there is no evidence that indicates credit card information was obtained.

This is a topic of much concern by the PS3 community as specific details around what was exactly breached haven’t been revealed previously. Today Sony posted another Q&A, which is fairly detailed.

According to Sony the entire database was secured both physically and through the network. The credit card information was totally encrypted and stored on a separate database table from the personal data.

The personal data was stored on a separate table, which was not encrypted but was behind a “very sophisticated security system.” The hacker was able to breach the table with the personal data. There is no evidence to indicate that the credit card table was breached.

For those unfamiliar with how databases work – a DB contains multiple tables and schemas. Typically a secured table will require a user to have special rights to access the schema and objects. While the other tables may be available to the authorized login ID.

In other words, if a hacker was able to breach the personal data table by gaining access to a general user ID or even the app ID, they would not be able to even see the secured credit card table. A DBA must add those IDs in order for someone to view the table and its contents. In addition, the table was totally encrypted and can only be decrypted by exercising the database with DBA authority.

Chances are very good that the hackers were not able to even access the credit card table as this requires phishing information from an actual person (DBA).  This is also backed by BBC’s Technology Correspondent, Rory Cellan-Jones, who revealed that on the record, Sony is not confirming anything. However, off the record the company is saying that credit card details on the PlayStation Network have not been compromised.

Various companies deal with similar situations differently. There have been less scrupulous companies in the past that may not even acknowledge a breach in security until questioned externally and even then, the company may just announce a formal investigation with no follow up. Typically, in such a scenario months may go by with the consumer clueless as to the potential security risks, in turn resulting in low media exposure.

Sony may have exasperated the situation by dramatically scaring consumers of a potential credit card breach without a 100 percent assessment. However, full disclosure is definitely the best policy in this type of situation, as it will also cover Sony in any unlikely case.

64 Responses to “Sony: there is no evidence of a credit card data breach”

  1. FahKinSuPah:

    How far are we into PSN-Gate now? How many days has it been?

  2. phranctoast:

    All around good news. Look Sony.you’re damned if you do and you’re damned if you don’t.

  3. Godless:

    any news if they have managed to track down the hacker that caused this?

    What would be a real pain in the ass, is if PSN gets hacked as soon as it’s up and running.

    If the hackers were able to sustain there activities, and keep PSN down, Now that would kill the PS3.

    I hope to hell Sony have made this new system bullet proof

  4. Godless:

    It will be interesting to see if this carry on has had an impacted on sales of the console too.

    M$ has had years of being the hackers fav target.
    I wonder how well Sony will stand up to being their new one?

  5. phranctoast:

    @godless

    Yeah

    http://topnews.in/law/files/bill-gates.jpg

    ;)

  6. CarlB:

    “‘Sony promised its customers that their information would be kept private. One would think that a large multinational corporation like Sony has strong protective measures in place to prevent the unauthorized disclosure of personal information, including credit card information. Apparently, Sony doesn’t,’ commented J.R. Parker, co-counsel in the case.”
    http://www.joystiq.com/2011/04/27/class-action-lawsuit-filed-against-sony-for-security-breach/3

  7. phranctoast:

    It was only a matter of time carlb. Now it’s looking like just our personal info (Name, Address, Email) was hacked and not the CC info, yet this lawsuit if for financial info……

    I was wondering which law firm would jump the gun prior to the official third party report coming out.

  8. Godless:

    phranc,

    there should be a warning on that link

    It gave me one of those horrible spine judder moments :D

  9. phranctoast:

    Oh…lol.. You scared the shit out of me. Sometimes Goodle images have housed malware…I thought I inadvertently linked to that…

    phew…

  10. CarlB:

    “How far are we into PSN-Gate now? How many days has it been?”

    Day 8 since the shutdown, 11th since the theft, and (family feud voice) PS3 says?…

    (robot voice)…
    “8002A203″

    “just our personal info (Name, Address, Email)”

    …and birthdate, usernames, passwords, logins, security questions and more…
    “the names, addresses and other personal data of about 77 million people with accounts on its PlayStation Network (PSN) have been stolen…Sony said it discovered that between 17 and 19 April an ‘illegal and unauthorised person’ got access to people’s names, addresses, email address, birthdates, usernames, passwords, logins, security questions and more… the theft of so much detailed customer information would be seen as a ‘public relations disaster’”
    http://www.guardian.co.uk/technology/2011/apr/26/playstation-network-hackers-data

  11. CarlB:

    HOBO WITH A SHOTGUN!!!

    http://www.youtube.com/watch?v=ssHEAOrAdCU

  12. Andrew_DS:

    What I want to know is what has the hacker achieved? I cant see how they are likely to get any personal monetary gain out of this.

    All I can think of is that sony must be a lot more hated than Nintendo or Microsoft. Figures!

  13. Roca.:

    “I was wondering which law firm would jump the gun prior to the official third party report coming out”

    @Phranc
    PSN terms of agreement claim no liability for data loss. Many other sites have lost users personal data, including Amazon, Google & MS and none of face any real issue with lawsuits.

  14. twilight:

    All I care about at this point is when Psn will be back up. This is supposed to be Ps3′s year. Obviously, Psn being down is not good for Sony.

  15. Roca.:

    “All I care about at this point is when Psn will be back up”

    Sony is virtually and physically rebuilding PSN and according to them, some features will be back within a week. They will need a massive update to make us forget all about the 2-week outage.

  16. phranctoast:

    Cross game chat?

  17. CarlB:

    mandatory security codes?

  18. Roca.:

    well, it will be mandatory to change your password the next time you login on PSN.

    @Phranc
    a reliable source said this:
    “As we’re rebuilding the network, we are into consideration in implementing features such as cross game chat and in-game video chat to name a few.

    I cannot confirm any new features at this time but expect a massive update when the network is restored”

  19. phranctoast:

    in game video chat….No thanks. It’s bad enough that I have to hear some of you whiny little bitches ;)

  20. ncaissie:

    Databases that large have transaction logs so they would know 100% if it was accessed.
    I ordered a new card anyway.
    If it was investigated by an outside source then they would know to look at the logs.
    Also for you morons saying Sony should have a “bulletproof” system, STFU because there is no way to have a bulletproof system.

  21. ncaissie:

    “(robot voice)…
    “8002A203?”
    Mine just says down for maint.

  22. ncaissie:

    ““the names, addresses and other personal data of about 77 million people with accounts on its PlayStation Network (PSN) have been stolen”
    Where did you read the word “Stolen”?
    People like you sure love to throw words in to get reactions don’t you?
    Accessed doe not mean stolen. They most likely did make a copy but it isn’t proven.

  23. ncaissie:

    “All I can think of is that sony must be a lot more hated than Nintendo or Microsoft. Figures!”
    Because you’re nothing but a POS Troll that is why.

  24. ncaissie:

    “It’s bad enough that I have to hear some of you whiny little bitches”
    Hey! I hate being shot! LOL

  25. phranctoast:

    lol

  26. phranctoast:

    http://m.kotaku.com/5796651/credit-card-companies-see-no-sign-of-psn-hack-fraud

  27. CarlB:

    “Mine just says down for maint.”
    If you have your console set to log in automatically it pops up in the upper right corner of your screen after powering up the console.

    “Where did you read the word ‘Stolen’?
    People like you sure love to throw words in to get reactions don’t you?”

    In the very first paragraph of the article I linked.

    “Accessed doe not mean stolen”

    Sony stated they believed it was “obtained” by an “unauthorized person” due to the results of their thorough investigation. Is “stolen” too harsh a word for you or what?

    http://www.technobuffalo.com/companies/sony/playstation-network-user-information-stolen-in-hack/

  28. Roca.:

    Sony said: “the entire database was secured both physically and through the network. The credit card information was totally encrypted and stored on a separate database table from the personal data”

    Also:
    “Gamespot also reports that several financial companies, including MasterCard, WellsFargo and American Express, have witnessed “no unauthorized activity relating to Sony”

    http://massively.joystiq.com/2011/04/28/playstation-network-credit-card-info-appears-to-be-safe-no-una/

  29. ncaissie:

    Show me where Sony said obtained. That link is not from sony.

  30. SW:

    “credit card number (excluding security code) and expiration date may have been obtained.”

    ^^^ From the latest PS blog FAQ.

    So they don’t know one way or the other.

    It’s good that CC companies aren’t seeing any fraud, but I would that would be expected considering the data was encrypted. Gotta wonder if they will get it decrypted tho.

  31. ncaissie:

    I don’t care. I changed mine anyway.

  32. Roca.:

    Sony never confirmed cc data was “obtiained”

    “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility”

    http://vgn365.com/2011/04/29/major-us-banks-on-psn-hack-no-mass-breach-of-credit-information/

  33. Roca.:

    “We’re not resetting accounts or anything like that, so when PSN is restored and you log on, everything will be as you left it, friends lists, trophies and wallet funds will all be exactly as they were before.”

  34. Ivan_PSP:

    While my PSN system is down I’m playing Medal of Honor on PS3 and Bulletstorm too bad i can’t play them online one day i will get this games on disc.

    Oh and Sony said PSN is coming back in less then a week so wait n get ready with your new password and new firmware update. Is gonna be a massive update.

    Xbox Live was hack and still getting hack since 2002 9 years Microsoft u suck are securing anything. Sony will be OKAY no doubt when their exclusives start coming out people will just FORGET.

  35. CarlB:

    “Show me where Sony said obtained.”

    Fine:

    “we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID.”

    http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

  36. CarlB:

    “It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility”

    Mike’s title: “Sony: there is no evidence of a credit card data breach”

    In other words:

    “Sony: Believes PII of 77 Million Users Stolen, cannot determine whether Credit Card data has been Stolen”

    And does anyone really believe that someone smart enough to hack into PSN and steal 77 million users PII, let alone credit card numbers, would immediately use that information after the crime?

    Come on people, you’re smarter than that.

  37. phranctoast:

    I guess I’m not too smart then. Like they would wait until Sony officially says card numbers were stolen and everyone on the network cancels their card.

  38. CarlB:

    If Sony can’t tell whether or not they took the card numbers and all Sony will officially say is “we can’t tell, be vigilant” then wouldn’t it be reasonably smart to wait until well after the scare, then piecemeal the crimes over time so nobody could trace it back to this?

  39. CarlB:

    If anything, the database of PII they now have is worth more by itself to the highest bidder, and poses even less risk to the original thief after being sold to others with criminal intentions. Card numbers don’t need to be stolen if they have enough PII to open accounts in your name. They already have lost enough for identity theft to happen.

  40. phranctoast:

    “If Sony can’t tell whether or not they took the card numbers and all Sony will officially say is “we can’t tell, be vigilant” then wouldn’t it be reasonably smart to wait until well after the scare, then piecemeal the crimes over time so nobody could trace it back to this?”

    Assuming the info doesn’t just get dumped in a file and sold.

  41. Roca.:

    Time to go back to 360 CarlB…

  42. CarlB:

    “Assuming the info doesn’t just get dumped in a file and sold.”

    That’s what I’m saying. They have the option to do that, and if they do sell it the ones they sell it to will probably wait awhile and piecemeal it anyway so it can’t be traced back to this breach or them.

    But the bottom line is that whoever winds up with that massive amount of PII is likely going to exploit it’s max potential as much as possible, and the banks may not necessarily be their first stop.

  43. CarlB:

    Haven’t even considered it roca.
    I’m still happily playing offline on PS3, but I’m not going to sugar coat or downplay this problem simply because I’m a PS3 only gamer at this time.

    Besides, there is still a light at the end of the tunnel:

    (Sony says) “We are currently evaluating ways to show appreciation for your extraordinary patience as we work to get these services back online”

  44. CarlB:

    Oops. I think I just sugarcoated it. ;)

  45. CarlB:

    With a cherry on top:

    “Sony also says any trophies earned in single-player offline games during the outage can be re-synched once the service is operational and that users’ download history/friends list/settings will be unaffected. PlayStation+ cloud saves will also be retrievable.”

  46. phranctoast:

    good stuff. I have some TR and portal 2 trophies.

  47. phranctoast:

    An Ideal time to exploit the cards would be prior to Sony even saying anything last Saturday IMO.

    Fraudulent charges have been popping up, but it seems like most people attribute it to the high percentage of people affected where some people were statistically likely to see normal fraud anyway.

    A sensible poster commented that just because they don’t see a car accident doesn’t mean it doesn’t happen every 60 seconds.

  48. CarlB:

    I think an ideal time would be about a year from now, spread out over about three decades.

  49. Roca.:

    “I think an ideal time would be about a year from now, spread out over about three decades”

    when most ppl’s address, name, email, zip code, password have changed. Some will like be dead (over 3 decades) and security and identity theft precautions will be tighter.

    There is not much they can do – names, addresses (city, state, zip), country & to some extent birthdates can be obtianed just by digging someone else’s trash to look for some old mail with some of this info. names & adresses are printed in every mail you get and they get stolen all the time (Google, MS, Blizzard, Amazon, and other have all been breached) but without SS# there not much they can do nowdays.

    Something similar happened to Amazone not too long ago..

    “The alleged vulnerability only affects those users who have not changed amazon accounts passwords for a long time. Attackers may exploit the flaw to launch brute force attacks or bombard passwords on the account with software. On successful breach, attackers may have access to confidential personal or financial information of the targeted users. The personal details may include names, mailing address, contact numbers, e-mail address, past transactions and payment information among others. Therefore, the security flaw on the Amazon site poses threat to privacy and confidentiality of amazon account holders”

  50. CarlB:

    “when most ppl’s address, name, email, zip code, password have changed. Some will like be dead (over 3 decades) and security and identity theft precautions will be tighter.”

    We are talking about a database of 77 million.
    They may only need to utilize 10-1000 to commit some pretty large crimes with identity theft. Not everyone moves, and I don’t think most people change their name that often. I personally haven’t changed my email address in about five years, but I may now. I don’t think anyone’s birth date changes, unless of course they are switching their identity.

    Deceased people’s information has been used in the past as well. Security and identity theft precautions may or may not be tighter dependent upon an individual’s unique circumstances, and every single piece of PII is valuable.

  51. CarlB:

    This is a nice time for lifelock to cash in on this situation. They could even do a deal with Sony.

  52. CarlB:

    http://www.lifelock.com/?v=2

  53. phranctoast:

    If your strictly talking about identity theft carlb then I agree, however roca is correct if it’s just credit card fraud. I beleive the ccj # changes with a cards renewal so that should dampen that even if people were just going to guess your new expiration date based off your old one.

  54. Roca.:

    anyone watching Fast 5 today?

  55. dans303:

    I’m going to see it later today (saturday).

  56. CarlB:

    Yep, “just” identity theft and the ability to open accounts in your name phranc. However, the majority of places I have used my card with do not require the security code you mentioned either, so that is also a concern.

    http://fivetowns.patch.com/articles/string-of-identity-theft-cases-hits-the-five-towns

  57. CarlB:

    Newest Kevin Butler Ad, It Only Does Identity Theft:

    http://www.youtube.com/watch?v=Cwn4R_GexLM

  58. SW:

    The best internet meme I’ve seen so far is to do with locking the console down with DRM up the yin yang, but not encrypting the customers data :)

    I know the CC data was encrypted, but man, why do companies hold our shit in such disregard these days.

    /end grumble

  59. Roca.:

    LMAO CarlB’s video.

  60. ncaissie:

    @sw because other cmpanies access that data. Fo instance sites we have seen linked here that show our trophy info. I’m guessing Sony gives the devs access to our info but not credit card info. Probably how the idiot got access in the first place. Doesn’t the hack involve dev kits?

  61. dans303:

    F & F 5 is gooood. :D

  62. SW:

    @ncassie

    Trophy data is one thing tho, my address is another.

  63. CarlB:

    I have happily been playing FFXIII since the outage with no problem, got to Chapter 8, and now it freezes at the Square Enix screen… what gives? Has anyone else had problems with this?

  64. CarlB:

    Buffed it, works fine.

Leave a Reply:

You must be logged in to post a comment. Don't have an account? Register today!




Login

About GAMER.BLORGE

Archives

Copyright © 2014 Blorge.com NS