Sony Hackers Claim to Have Credit Cards

Hackers may have as many as 2.2 million credit card numbers stolen from Sony PlayStation Network users, despite reassurances from Sony that its credit card database was encrypted.

Kevin Stevens, senior threat researcher for Trend Micro, recently said on Twitter that hackers claiming to have the credit card numbers are trying to sell the database through online black market forums. The thieves also claim to have the card verification value (CVV) security codes for the purloined plastic. CVVs are typically three-digit numbers found on the back of most credit cards. Stevens was not able to view the database to verify the hackers' claims.

Sony recently said it had no evidence that PSN users' credit card numbers were stolen during a recent intrusion into the company's servers. The company also said the data was encrypted, making it much harder for anyone to turn the credit card data into usable information even if it was stolen.

Data for Ransom?

But that may not be the case if the hackers' claims turn out to be true. Stevens recently told The New York Times the bad guys are trying to sell the list for more than $100,000. The hackers also claim they tried to sell the information back to Sony, but so far the company has not confirmed this.

Security consultant with iSEC Partners Matthew Solnik also told the Times that hackers might have made it into the company's main database. From there, they could have accessed an unencrypted version of the credit card information, according to Solnik. However, Sony has not publicly detailed how its database encryption works so it's unclear if that was possible.

At the moment, the hackers' claims are unverified, so it's hard to know what to make of them. Some PSN users claim they're seeing fraudulent charges on their cards. But considering the PSN intrusion affects more

than 70 million people, it's unclear if the rogue charges are directly related to the PSN break-in.

Nevertheless, PSN users would be well advised to keep an eye on their credit card accounts, and may even want to consider canceling the card used for the PSN services; credit card companies should be willing to issue a replacement under the circumstances.

[Check out PCWorld's guide to surviving the PSN breach for more security tips.]

Sony's PSN and Qriocity music service have been down for nearly ten days following the breach, and the company recently said it is considering compensating users for the service disruption.

The company took the two services offline on April 20 and is working to rebuild its network with beefed up security measures before reopening PSN and Qriocity to users.

Another 'Game' Breached

Sony isn't the only company that needs to rethink its online security practices. On Monday, a customer service representative for the New York Yankees accidentally emailed the personal details of nearly 18,000 season ticket holders to a newsletter mailing list.

Connect with Ian Paul (@ianpaul) and Today@PCWorld on Twitter for the latest tech news and analysis.

Subscribe to the Security Watch Newsletter

Comments