Sony officials are now saying that while they’re still unsure whether the attackers behind the recent breach of the PlayStation Network stole customers’ credit-card data, the data itself was indeed encrypted n the database.
In its initial communications about the PSN attack, Sony did not make any reference to whether the customer credit card data was stored in an encrypted format. However, on Thursday the company issued an updated FAQ in which it says that the credit card numbers were in an encrypted database table.
“All of the data was protected, and access was restricted both physically
and through the perimeter and security of the network. The entire
credit card table was encrypted and we have no evidence that credit card
data was taken. The personal data table, which is a separate data set,
was not encrypted, but was, of course, behind a very sophisticated
security system that was breached in a malicious attack,” Sony says it in its FAQ.
The problem for customers, however, is that the company is not sure whether the data was stolen.
“While all credit card information stored in our systems is encrypted and
there is no evidence at this time that credit card data was taken, we
cannot rule out the possibility. If you have provided your credit card
data through PlayStation Network or Qriocity, out of an abundance of
caution we are advising you that your credit card number (excluding
security code, sometimes called a CVC or CSC number) and expiration date
may have been obtained.”
The good news is that if the credit card data was in fact stolen, it won’t be of much use to the attackers on its own. However, because the attackers have customer names, addresses, emails and other data, they may be able to craft highly targeted phishing emails that prey on victims’ fears about the PlayStation Network breach. Password-reset or payment-detail confirmation scams would be simple and effective methods for attackers to perhaps get more information from PSN breach victims.