Sony says PlayStation Network credit-card data was encrypted
Sony, whose computers were hacked April 17, on Thursday said it had encrypted the credit-card data of its PlayStation Network and Qriocity customers, but not their personal and contact information.
The company maintained in an updated Q&A that it had no evidence of credit-card information having been stolen, but that it could "not rule out the possibility."
Sony also said it is working with law enforcement agencies to investigate the breach, which exposed the data of 77 million PSN and Qriosity accounts. The actual number of people affected may be smaller, as some accounts are inactive and some users have created multiple accounts. The New York Times earlier this week reported that the case had been sent to the FBI in San Diego. FBI officials declined to comment.
Encrypting data makes it harder, but not impossible, to read. In addition, hackers can use stolen passwords of high-level computer systems administrators at Sony to crack open the files, said John Pescatore, a security analyst with Gartner Inc.
"Encrypted data is only safe if the attacker doesn’t also get the decryption keys," Pescatore said. "That’s the worry about a compromised administrator password. Often, but not always, administrative access means attacks can subvert encryption. It is like locking your doors but leaving the key under the mat."
-- Alex Pham
Photo: Sony PlayStation 3. Credit: Yoshifumi Harada via Flickr