On the Sony PSN Breach and Commenting

Tuesday, May 10, 2011

Anton Chuvakin


Here is why I am rejecting many requests to “comment on the Sony PSN breach”: because most of such post-breach comments by outsiders are pure drivel, that rarely even RAISES to the level of FUD.


Q: What got stolen in the now infamous Sony PlayStation Network (PSN) breach, the #4 largest ever at DatalossDB?

A: Definitively, for all PSN users: “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID” (source: Sony letter, obtained via dataloss-discuss@datalossdb.org)

Possibly: “profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers” (source: same Sony letter)

Total record count stands at 77 millions.

Q: Were all the credit cards stolen?

A: I don’t know and Sony says THEY DON’T KNOW either.

Q: What does it mean, “they don’t know”?

A: To me, it means they sucked at security monitoring and sucked REALLY hard at logging, and likely didn’t have database logging/auditing. Allowing the breach to happen can happen to anybody, but not knowing AFTER the breach whether REGULATED data was stolen point to gross incompetence.

Q: Were they PCI compliant?

A: I don’t l know. Most likely, they were validated as PCI DSS compliant at some point (I’d assume they are Level 2 or maybe Level 1). Was there a QSA involved? I don’t know, but I’d guess they are comprised of multiple Level 2 (and below) merchants, not one Sony-wide Level 1. Thus they self-assessed via SAQ.

Q: But were they REALLY PCI compliant?

A: I don’t know. Don’t bug me about this one.

Q: Were they PCI compliant at the presumed time of the breach?

A: I don’t know. Personally, I seriously doubt it since maintaining PCI compliance at all times is extremely hard (example) and access to regulated data should be logged and monitored.

Cross-posted from Security Warrior

Possibly Related Articles:
Information Security
Data Loss PCI DSS Compliance Sony breach PlayStation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.