Sony Says Data Is Protected, Attackers Say It's For Sale
Sony tried to calm customer fears by stating that the credit card data was encrypted, but attackers claim to already be selling that credit card data online. Either one of these parties is stretching the truth, or encrypting data doesn't offer the level of protection we think it does.
In a blog Q&A about the Playstation Network breach, Sony states, "The entire credit card table was encrypted and we have no evidence that credit card data was taken." Sony goes on to claim that it never collects the three-digit CVV number from the back of the card, but later amended that claim to state that it does collect that information, but it does not store it.
Sony claims data was protected with encryption, but attackers say credit card info is for sale.
Meanwhile, the attackers claim to have the credit card data--including the CVV number--for sale on online black market forums. One of these things is not like the other. It seems difficult--if not impossible--to justify how both parties can be telling the truth.
Unfortunately, it is actually feasible that the data could have been encrypted as Sony claims, yet compromised as the attackers claim. It all depends on how the data was encrypted, and how the attackers breached the Sony network.
