Sony: your card data was encrypted
But, admits our personal data was not.
Sony has insisted credit card data it stored on users' behalf was encrypted, and it is yet to find any evidence that it was stolen as part of last week's unprecedented PlayStation Network hack.
"All of the data was protected, and access was restricted both physically and through the perimeter and security of the network," communications boss Patrick Seybold wrote on the US PlayStation Blog.
"The entire credit card table was encrypted and we have no evidence that credit card data was taken."
However, Sony reiterated its previous statement, saying it does not know for sure whether credit card information was taken.
"While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility," Seybold continued.
"If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system."
Sony's latest comment should go some way to reassuring worried customers – but for many who have already cancelled their credit cards, it has come too late.
Adding fuel to the fire, Sony has admitted that personal data – PSN logins, passwords, emails, names and addresses, was not encrypted. Sony confirmed this week that this data had indeed been stolen.
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," Seybold said.
Sony has come under increasing scrutiny for the way it protected the personal data tied to over 70 million PSN and Qriocity accounts.
The fact that user passwords have been "obtained", as Sony puts it, suggests Sony stored user passwords as plain text – and did not encrypt them.
The Information Commissioner's Office plans to talk to Sony about this, and if it finds it is in breach of the Data Protection Act, it may issue a fine.
Elsewhere, Sony offered some tips for those who don't know which credit card they have attached to their PSN account.
If you've added funds to your PSN wallet in the past, Sony said, you should have received a confirmation email from "DoNotReply@ac.playstation.net" at the email address associated with your account.
This contains the first four digits and last four digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.
When the PSN is back online, users will be required to change their passwords, Sony said. "We will provide more details about the new update shortly."