PSN Outage: Security Details Update

Sony have released a new Q&A for its customers regarding the PSN & Qriocity outage and security breaches, this new Q&A covers details on credit card details and passwords, reassuring customers that unlike rumours, “All of the data was protected” and “The entire credit card table was encrypted and we have no evidence that credit card data was taken.”

Here’s the entire Q&A #1 Post extract:

First off, we want to again thank you for your patience. We know that the PlayStation Network and Qriocity outage has been frustrating for you. We know you are upset, and so we are taking steps to make our services safer and more secure than ever before. We sincerely regret any inconvenience or concern this outage has caused, and rest assured that we’re going to get the services back online as quickly as we can.

We received a number of questions and comments yesterday and early today relating to the criminal intrusion into our network. We’d like to address some of the most common questions today.

We are also going to continue to post updates to this blog with any additional information and insight that we can over the next few days.

We are reading your comments. We are listening to your suggestions. Please keep them coming.

Thank you.

Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What steps should I take at this point to help protect my personal data?
A: For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “[email protected]” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: Have all PlayStation Network and Qriocity users been notified of the situation?
A: In addition to alerting the media and posting information about it on this blog, we have also been sending emails directly to all 77 million registered accounts. It takes a bit of time to send that many emails, and recognize that not every email will still be active, but this process has been underway since yesterday. At this time, the majority of emails have been sent and we anticipate that all registered accounts will have received notifications by April 28th. Consumers may also visit www.us.playstation.com/support and www.qriocity.com for notices regarding this issue. In addition, we have taken steps to disseminate information regarding this issue to media outlets so that consumers are informed.

Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information?
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

As always we’ll keep you updated when we hear more.

Source: PSBlog

107 Comments

  1. “we expect to have some services up and running within a week from yesterday.”

    OK, so they are making everything nice and secure, but another week before ‘some’ services are back. Good job Sony havent got a reputation for missing deadlines. Oh, wait…..!!!

    On the positive side, at least we have been told a bit more information and do have a timescale to work from, so thanks Sony for that, plus if what has been said is true, perhaps not as bad as people have been thinking or fearing.

    • theyve said it will be back up and running on Tuesday with ltd service

  2. One thing about the personal information here you can get peoples name and address even through a cars licence plate number so your information is pretty much public knowledge

    • You can get it from census information if you’re prepared to pay for it.

      Banks have been saying not to bother cancelling your card as well as not enough data was taken and they’d spot and fraud attempt.

      As long as you get you PSN password changed when it goes live again I don’t think you should have much to worry about (assuminh you follow the correct security rules yourself i.e. don’t use the same password for multiple accounts etc…)

      • As long as the hacker has your email, D.O.B and security answer, he can easily go through the Forgotten Password and change it to something else.

      • Here you can ask it with a text message and it costs what text messages cost but the thing is you can’t do much damage without a social security number just a name and an address doesn’t work

  3. So it looks like it might be back up next week, I thought it’d be months!

  4. So, another week of downtime to face yet. :(
    Now we know for certain that our personal data was not encrypted but we still don’t know the extent of the intrusion – i want to know if they can determine specifically if someone just accessed the area where the data was held or actually harvested that data and to what extent.

  5. Speaking as a long time PS fan, once the PSN is back up and running I will be cancelling my account with Sony and my PS3 will be an offline closed box from then on. This ordeal has proven to me just how Incompetent and unprofessional they are as a company.

    • bit OTT

      • Massively OTT.

        R4U, come on matey, dont wanna end up like Bart when he took that FOCUSIN do you?

      • LOL, that episode was just on the other day on Sky1 or Channel 4…..

    • Surprised your still on the net to be honest if that’s your reaction then…

    • How is a company who got their “sophisticated security” hacked to blame. This goes back to the OtherOS debate.
      Aparently it’s Sony’s fault hackers exist, who knew.

      • I think there’s plenty of blame to share around on the hackers ans sonys side, but if the credit card details are safe thats all that really matters, your name and address is in the public domain be it on the electoral register or on facebook.

    • No one loses out but you R4U

    • If you feel like that you shouldn’t use any online service ever again since any service could end up getting hacked at least the plus side with this is that Sonys protection will be even higher than before

    • Lol I can tell this is a Playstation website. A company fails to secure our personal data, keeps us in the dark for nearly a week, may have lost our credit card details and I’m being OTT for being cautious and keeping my PS3 offline…

      • But after this it will be allot more secure and besides my info is already on the net if it is there i’m not gonna let these fucks ruin my gaming fun

      • I would imagine if I was a mostly online gamer I would share a similar view, but I only really used my PS online to play online games once a week and buy the occasional item off the PSN store. I can definatley live without those things lol

      • Well yeah i’m not that big of a online gamer my self

  6. Are passwords in the “personal data table”?

    My personal experience of databases is that you store personal data in one table but login data in another.

    The only bit of data I was worried about was my password. As long as I can get that changed quickly them I’m fine. The psn was the only place I used it anyway.

    • limited service on Tuesday when it goes back online hopefully the ltd services working will include password changing and most if not all of account management

    • Firmware will be released so before you go online you’ll need that. And as mentioned it will require you to change your password

      • of corse but i think what services of the ltd service will be working obviously online gaming will but will all account management ? so people can change credit/debit card details or will they be still making that section more secure ? i think the ltd services working needs to be clarified abit more by Sony they owe their customers that at the least

  7. That is a crap way to handle data.Passwords should always be encrypted!if not then you might as well tell the bloke next to what it is.I hope their security for Personal details managed to stop any hacking attempt. Hopefully,Sony will encrypt all data of PSN account holders.On the plus side,PSN could be back up within a week.:D

  8. Wanted to add a different opinion which I appreciate not everyone will agree with, but hey, I’ve got thick skin so hopefully you do too….

    – I don’t think many of you appreciate the complexity of a system the size of PSN. If you were to encrypt commonly accessed data fields, the strain on the system unencrypting that info every time you login would be immense and would equate to a large scaling implicated within the datacentre. We are talking hundreds maybe thousands of nodes, not a single mysql cluster. Consequently, you make tough choices about what to encrypt and what not to encypt…and even to what level of encryption. Simply saying ‘passwords’ should be encrypted is pretty ignorant of this scale of system.

    – Encrypting the cc details is something many organisations in the UK and around the world still havn’t done. It’s why most companies are still not PCI complient. The fact Sony had this encrypted is a testament to their good security practise. Hard to acknowledge that in this situation of course…but its true nonetheless.

    – Encryption can be circumvented given enough time and effort, particularly when below 128bit. Simply encrypting everything does not solve the problem of hackers stealing your information. It has value, they WILL steal it, get over it.

    – Yes, it’s a huge inconvenience and I’m pissed off too. Just not sure where to direct my anger…but those responsible for the hack are ultimately the bad guys, not Sony.

    – Peace.

    • YES!

    • “Simply saying ‘passwords’ should be encrypted is pretty ignorant of this scale of system.”

      Simply letting Sony off the hook because encrypting passwords would take more system ressources that they did not want to pay for is pretty ignorant too.

  9. Passwords being left unencrypted is TOTALLY unacceptable. Even total garbage freebie internet services such as forums encrypt password data.

    • I don’t think that’s true mate…what evidence do you have for that? (Happy to be proved wrong!)

      • Any website which sends you your password in an email isn’t encrypted/hashed… Any website such as TSA which can only reset passwords (not send them) is hashed

      • Not trying to be particularly argumentative, but hashed doesn’t necessarily mean encrypted, nor does it mean the level of encyption is over 48bit. Point I’m making is that a password really isn’t THAT sensitive a piece of information, particularly when you consider the fact that MANY people use weak guessable (or brute forcable) passwords. Whereas a CC card is regarded as requiring a higher level of security…which Sony had.

      • By basic websites, I mean I have set up a small free community forum for an onlien gaming clan I was in. In the way that has already been described, the passwords are encrypted at all times and not even viewable by admins – all you can do is reset them which prompts the user to create a new password.

        Hashing is just another word for encryption. Encryption algorithms such as SHA or MD are examples, basically the diference is the number of bits used and broadly speaking the more bits used the more secure the encryption (although given enough time and with the ever increasing processing power available nothing is 100% secure forever).

        I believe there is a competition ongoing at the moment to create the next generation of encryption.

        My point is having SOME sort of encryption should be a given for a tech giant like Sony. At least if they have some sort of encryption the hackers at least have to put some effort into cracking the encryption before getting any further.

        If nothing else perhaps it would have given Sony more time to react and get a password reset system in place before the hackers managed to crack the encrypted passwords.

  10. Am looking forward to the report by the external data company, assuming Sony will be transparent in their activities

Comments are now closed for this post.