Sony Shares More Details On PlayStation Network Breach

Yesterday Sony revealed that some 77 million members of its Playstation Network had their personal information harvested by hackers, including name, address, and possibly credit card numbers in a massive security breach. Sony pulled down PSN as soon as it detected the breach, (we’ve been following the story since it first began last week), and it’s now regularly sharing more details to provide clarity to the situation.

This evening Sony posted a lengthy Q&A discussing the security measures it had taken to keep user data in the first place. Among the answers:

  • Sony says that it’s working with law enforcement and views this as a criminal act.
  • Personal data (name, address, etc) was not encrypted, but credit card information was — though Sony can’t rule out that it was accessed.
  • Credit card security codes (the three digit numbers on the back of the card) were not stored, so they weren’t compromised
  • Sony suggests looking at your email confirmations for past transactions to determine which credit card you had connected to the account.

In an update last night, Sony also clarified that while it detected the breach on April 19, it didn’t know the scope of the data that was harvested until April 25, the day before its announcement (Sony has come under lots of fire for apparently waiting a long time to disclose the information). However, Sony’s defense isn’t that solid — if it even thought there was a possibility credit cards might have been taken, it seems like it should have given users fair warning.

Here’s an excerpt from the Q&A — you can find the whole thing here, and should check it out if your information was compromised.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.
Q: What steps should I take at this point to help protect my personal data?

A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.