Yesterday (Wed) we had Sony being not very re-assuring, saying "While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity,
to be on the safe side we are advising you that your credit card number (excluding security code) and expiration date may also have been obtained."
Now today (Thu) we have Sony providing some reassurance, saying "The entire credit card table was encrypted and we have no evidence that credit card data was taken."
So on the one hand, why cause such consternation in the first place? On the other hand, there's no information regarding what encryption was being used.
Maybe we're only taking about Single DES or somesuch? Maybe they don't know what they mean by encryption? I've experienced instances where Companies I've been checking out didn't know the difference between hashing and encryption, and thought that MD-5 was
encryption (and didn't know that it had been compromised).
Certainly the face that personal data including passwords appear to have been held in the clear, rather than be subject to a one-way hash, suggests that Sony weren't exactly at the cutting edge of Security practices?
"The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."
So until more details are forthcoming, people will continue to wonder just how sophisticated it was?