Sony Says Daya Is Protected, Attackers Say's It Is For Sale

Bookmark and Share
Sony tried to calm customer fears by stating that the credit card data was encrypted, but attackers claim to already be selling that credit card data online. Either one of these parties is stretching the truth, or encrypting data doesn't offer the level of protection we think it does.

In a Playstation Blog, Sony States " The entire credit card table was encrypted and we have no evidence that credit card data was taken." Sony goes on to claim that it never collects the three-digit CVV number from the back of the card, but later amended that claim to state that it does collect that information, but it does not store it.

Unfortunately, it is actually feasible that the data could have been encrypted as Sony claims, yet compromised as the attackers claim. It all depends on how the data was encrypted, and how the attackers breached the Sony network.

AppRiver security analyst Troy Gill clarified that nothing is really known at this point, but added that if the data was encrypted as Sony claims, it is still possible that the attackers could have cracked that encryption by now. "It would depend first on what hash function was used to encrypt the data, obviously if a weaker encryption was used then the easier it would be to break. The amount of resources the hackers were using to break the encryption could also be a factor in the amount of time it would take."

Anton Chuvakin, security expert and co-author of PCI Compliance, notes that database table encryption is often poorly implemented. Organizations often use hardcoded encryption keys, hat an attacker might easily find once they have access to the network in the first place.

All of these points address the feasibility or likelihood that Sony could be telling the truth about encrypting the data, and yet that data could be decrypted and available on the black market. However, we still have the issue of Sony claiming not to have stored the CVV data from the credit cards at all, and yet attackers claim to have that crucial piece of data as well.