Here is why I am rejecting many requests to “comment on the Sony PSN breach”: because most of such post-breach comments by outsiders are pure drivel, that rarely even RAISES to the level of FUD.
Q: What got stolen in the now infamous Sony PlayStation Network (PSN) breach, the #4 largest ever at DatalossDB?
A: Definitively, for all PSN users: “name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID” (source: Sony letter, obtained via firstname.lastname@example.org)
Possibly: “profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers” (source: same Sony letter)
Total record count stands at 77 millions.
Q: Were all the credit cards stolen?
A: I don’t know and Sony says THEY DON’T KNOW either.
Q: What does it mean, “they don’t know”?
A: To me, it means they sucked at security monitoring and sucked REALLY hard at logging, and likely didn’t have database logging/auditing. Allowing the breach to happen can happen to anybody, but not knowing AFTER the breach whether REGULATED data was stolen point to gross incompetence.
Q: Were they PCI compliant?
A: I don’t l know. Most likely, they were validated as PCI DSS compliant at some point (I’d assume they are Level 2 or maybe Level 1). Was there a QSA involved? I don’t know, but I’d guess they are comprised of multiple Level 2 (and below) merchants, not one Sony-wide Level 1. Thus they self-assessed via SAQ.
Q: But were they REALLY PCI compliant?
A: I don’t know. Don’t bug me about this one
Q: Were they PCI compliant at the presumed time of the breach?
A: I don’t know. Personally, I seriously doubt it since maintaining PCI compliance at all times is extremely hard (example) and access to regulated data should be logged and monitored.