Update on PlayStation Network and Qriocity (From Sr. Corporate Com. Director)

Source: Playstation

April 26 2011

Thank you for your patience while we work to resolve the current outage of PlayStation Network & Qriocity services. We are currently working to send a similar message to the one below via email to all of our registered account holders regarding a compromise of personal information as a result of an illegal intrusion on our systems. These malicious actions have also had an impact on your ability to enjoy the services provided by PlayStation Network and Qriocity including online gaming and online access to music, movies, sports and TV shows. We have a clear path to have PlayStation Network and Qriocity systems back online, and expect to restore some services within a week.

Valued PlayStation Network/Qriocity Customer:
We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network. In response to this intrusion, we have:

1. Temporarily turned off PlayStation Network and Qriocity services;
2. Engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and
3. Quickly taken steps to enhance security and strengthen our network infrastructure by re-building our system to provide you with greater protection of your personal information.



Read more: http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/

---

Snip "Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking. When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well."

... And just now they are letting people know through a post on their BLOG?!?!

Password data was not kept secure? Not encrypted? SERIOUSLY?
You don't know if credit card info was leaked? REALLY????

I've seen Mom&Pop shops protect my data better.

PSN has been down since it happened so a persons PSN data does nothing for whomever has it right now. Also, they have been putting out regular updates and this is not the first time they have talked about the possibility of CC info being taken, they announced that as soon as they knew any data had been taken. The not knowing about the CC info is disturbing though, I do not see how they can be sure the other data was taken but not be sure if CC info was taken. That makes no sense to me.

I would also say that not knowing the nature of the break in, it is difficult to judge how well they were protecting the data. There is no way to make a completely secure system, it is the nature of the electronic beast.

(Payment Card Industry Data Security Standard)
which, online merchants of this volume are required to follow... I have a hard time believing that they would not be held liable... or if most processors would even process transactions from PSN as a source.

I don't think a completely safe system is possible either, but, having a one-way encrypted hash of a password would make it so that only a few would be decrypted over the course of decade or so.

But I don't think that has anything to do with how the CC# is stored or what security they have on their databases. I would hope they store it in encrypted format, everywhere I've ever worked that uses bank or CC info has done so but I do some places do not and I do not know for certain about Sony.

that the CW2 data was for sure not compromised. My hope is that they are being cautious and treating encrypted data as if it was able to be decrypted.

...and when they sent the notice, there was a note that they were required to offer a credit-monitoring service for 2 years at no charge because our information was compromised (and with it, the bank information attached to payments originating from accounts or debit/credit cards). Perhaps there is a legal statute or line that is crossed when it is ~known~ the cc info is compromised that Sony is attempting to dodge?

Note: this is purely conjecture/inquiry. I am not claiming that such a law is fact.
Edit: Clarity