“All of the data was protected, and access was restricted both physically and through the perimeter and security of the network,” Sony wrote in a blog post.
“The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”
Encrypting the credit card numbers might help Sony argue that it was in compliance with the official Payment Card Industry Data Security Standards, which mandates encryption for stored credit card data — something that could help Sony in the class actions lawsuits that have already begun.
Without more details, though, it’s difficult to know how much solace users should take in this latest dribble of information on the massive breach. If the encryption scheme in use was weak, or the intruders compromised the crypto keys, then the card numbers are still at risk. For that matter, with access to the network’s back-end systems, it’s possible the intruders could have sniffed newly-used credit card numbers as they came in to the system, and before they were encrypted.
Meanwhile, users are reporting fraudulent charges on cards they’ve used on the PlayStation Network — Wired.com sister site Ars Technica has counted two dozens cases. But out of a sample of any 77 million people, it would be far more surprising to not find recent victims of credit card fraud in the mix, so we’re not counting this as evidence that plaintext cards numbers are in the wild.