Sony failed to follow standard security practices

By its own admission, Sony failed to follow Industry Data Security Standard guidelines when it failed to delete elderly credit card details from its Online Entertainment network, allowing them to be snaffled up by miscreant hackers.

Robin Adams, director of security, fraud and risk management at The Logic Group and - it says here - "a recognised expert in the Payment Card Data Security Standard (PCI DSS)," says Sony inadvertently admitted that it is not compliant with the standard.

Adams points to Sony's comments, regarding the second loss of data it discovered on its servers - that relating to Sony Online Entertainment. Sony said:

“Information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained.”

“I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance?" said Adams. "The PCI DSS control 3.1 states that cardholder data must be kept to a minimum and that a data retention and deletion policy must be implemented, which involves a process for the secure deletion of cardholder data when it is no longer required. I would suggest outdated credit card databases fall fairly under this category.

“Not only that but the PCI DSS Prioritised Approach categorises the 220 plus controls into six Risk levels and control 3.1 is one of only eight controls considered severe enough to be put in at Risk level 1. In these litigious days one can only assume that the Sony lawyers and Marcom staff who proof read this statement had been missing during the Security Awareness Training.”

Adams also wonders about the fate of the credit card database apparently penetrated in the original hack attack.

“Sony have said that in the original attack, they couldn’t be sure if the credit card database (the large one) had been stolen but in any case the entire database was encrypted," said Adams in an email.

“This statement has been endlessly repeated – yet no-one has asked Sony the obvious question: “Did they take the decryption keys as well?” Because, let’s face it, if they got the keys as well, then the encryption is as useful to Sony and its customers as the proverbial chocolate teapot.”

We asked Sony about the whereabouts of the key and ran Adams' other queries by the humbled Japanese giant. No response is, as yet, forthcoming.

If you're a PSN user, cross your fingers now.