Sony has released a Q&A regarding frequently asked questions of the PSN data breach. Among other things, it revealed that their “credit card table” was protected with encryption software. However, their “personal data table” was not.
It was not revealed whether passwords were hashed or protected in any other way, although one would imagine that passwords were grouped with the personal data table.
Regardless, Sony is “strongly recommending” that these be changed. Like I noted two days ago, this is not necessarily a sign that passwords were stored in plaintext format, although the lack of denial (that they were saved in plaintext) the second time around is worrisome. They hadn’t mentioned the use of encryption previously, but cleared that up in this particular Q&A, and I was expecting the same for the passwords. On the other hand, I’m not sure how many people have asked Sony whether passwords were encrypted or hashed (or if any did).
One thing that puzzles me is this:
Q: What steps is Sony taking to protect my personal data in the future?
A: We’ve taken several immediate steps to add protections for your personal data…including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly. [playstation.com, my emphasis]
Huh? As I understand it, this breach was an on-line hack. How’s physically moving to another location going to improve security? Do they expect a full-frontal assault one of these days, where servers are torn and stolen from racks upon racks that I imagine Sony must have deployed?
That’s quite unlikely. On the other hand, it wouldn’t be the first time. But then again, I don’t think that a company like Sony would be one to use a questionable data center to begin with.
Related Articles and Sites: