Customer credit card data held by Sony as part of its PlayStation Network (PSN) and Qriocity services was fully encrypted, the company has confirmed in the aftermath of last week’s massive hacking data breach.
The news reinforces that the company was in compliance with the encryption element of the Payment Card Industry Data Security Standard (PCI-DSS), which applies to any larger company that handles credit card numbers.
However, Sony has refused to rule out that the data could still have been compromised, perhaps a veiled reference to the remote possibility that hackers also accessed the keys used to scramble the data as part of their rampage. To use the cards attackers would also, in theory, need to obtain the three-digit card verification numbers, which are not stored by payment systems, although this security is far from foolproof.
The company’s latest advice is that customers closely monitor statements associated with the credit cards used on PSN, identifying which numbers were used from confirmation emails sent by Sony at the times the transactions were made.
Who was behind the attack could turn out to be the most important element of this extraordinary story.
On the face of it, the PSN attack bears the hallmarks of being a straightforward attack by criminals in search of profitable data, but there is circumstantial evidence that the motivation might have been ideological.
In a Q&A posted on its site yesterday, the company admitted that its Sony Online Entertainment (SOE) had also experienced a “service interruption” due to an external attack. Assuming this wasn’t plain coincidence, it seems unlikely that a conventional criminal attack would devote resources trying to 'down' the company’s branded websites.
Criminals also use the modus operandi of stealth, stealing smaller amounts of data over a longer period of time in order to remain undetected. By that standard, the attack on the PSN a week ago is more like crashing a tank through the front gates. Some have speculated that criminals saw the opportunity to attack Sony at a time when others might be blamed.
The motivation is important because it could affect what happens to any data stolen during the breach, including the wealth of personal subscriber data other than credit cards that was not encrypted by Sony.
If anti-Sony hackers were behind the attack, the data is unlikely to be sold to criminals and some of it will likely appear online as a way of embarrassing Sony. If the attack was by professional criminals, by contrast, no responsibility will ever be taken and the data will disappear on to the black market.