I realize there's been a massive amount of PlayStation Network coverage on Giant Bomb the past few days, but when potential credit card fraud and data intrusion on 77 million accounts is involved, that happens. Senior director of corporate communications and social media Patrick Seybold, also known as the public face of Sony throughout PSN's disaster, has updated the PlayStation Blog with a new Q&A.

The Q&A reveals a few new details about Sony's decision making process when the initial intrusion was discovered and how the company is handling rebuilding PSN and now ensuring account security.

I've grabbed the most interesting updates (though it's worth reading the whole thing) for you to read:

Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken? 
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: What steps is Sony taking to protect my personal data in the future? 
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information? 
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

I realize there's been a massive amount of PlayStation Network coverage on Giant Bomb the past few days, but when potential credit card fraud and data intrusion on 77 million accounts is involved, that happens. Senior director of corporate communications and social media Patrick Seybold, also known as the public face of Sony throughout PSN's disaster, has updated the PlayStation Blog with a new Q&A.

The Q&A reveals a few new details about Sony's decision making process when the initial intrusion was discovered and how the company is handling rebuilding PSN and now ensuring account security.

I've grabbed the most interesting updates (though it's worth reading the whole thing) for you to read:

Q: Are you working with law enforcement on this matter?
A: Yes, we are currently working with law enforcement on this matter as well as a recognized technology security firm to conduct a complete investigation. This malicious attack against our system and against our customers is a criminal act and we are proceeding aggressively to find those responsible.

Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.

Q: Was my credit card data taken? 
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.

Q: What if I don’t know which credit card I’ve got attached to my PlayStation Network account?
A: If you’ve added funds to your PlayStation Network wallet in the past, you should have received a confirmation email from “DoNotReply@ac.playstation.net” at the email address associated with your account. This email would have been sent to you immediately after you added the funds, and will contain the first 4 digits and last 4 digits of your credit card number. You can also check your previous credit card statements to determine which card was attached to your PlayStation Network or Qriocity accounts.

Q: When or how can I change my PlayStation Network password?
A: We are working on a new system software update that will require all users to change their password once PlayStation Network is restored. We will provide more details about the new update shortly.

Q: What steps is Sony taking to protect my personal data in the future? 
A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network and Qriocity services and, second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network’s security and your personal data, including moving our network infrastructure and data center to a new, more secure location, which is already underway. We will provide additional information on these measures shortly.

Q: Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information? 
A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement in order to find those responsible for this criminal act no matter where in the world they might be located.

Q: When will the PlayStation Network and Qriocity be back online?
A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure.

Nice.

E: Wow, actually got it.

Anyways, I've been pretty disappointed with how Sony has handled this situation as a whole. The amount of time it has taken them to even attempt to try and answer the public's questions has been somewhat absurd. I understand it's been a difficult situation for them and all, but really Sony when something this big happens you really need to jump on the ball far faster.

nice job sony

What a mess

" nice job sony "

So Senator Blumenthal thinks Sony should pay for 2 years worth of free credit reports and lifelock (or something like it) for all users affected.

Wait a sec... from what i've been hearing, our data is transmitted in plantext.  What encryption is sony talking about?

Man this must be costing them big time.

I can't imagine what the higher ups are thinking right now. This is a PR nightmare.

"

I can't imagine what the higher ups are thinking right now. This is a PR nightmare.

"

So, top men are on it? Hopefully? 

I checked my PSN e-mails like they said to and now I am relieved, I never put my new CC on my PSN. Changed all my passwords just in case and now I just have to wait until PSN is up to change that password. Hopefully this is all old news in a week from now.

It sucks because I haven't played my PS3 for a couple years now, mainly an xbox guy, but sony had my fucking credit card :/

" Wait a sec... from what i've been hearing, our data is transmitted in plantext.  What encryption is sony talking about? "

I really wish people would shut up and calm down about this. Once this is resolved in a few days everything will be back to normal and no harm will be done.

Bunch of trigger happy, paranoid idiots.

" @Mechabolic: 'What you've been hearing' is the problem. "

" So, top men are on it? Hopefully?  "

"  Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a verysophisticated security systemthat was breached in a malicious attack.
sophisticated likee what's my mothers maiden name?sounds like the same sophisticated network at gawker media "

Yep. They decided to move it to a new more secure location. 

Well done Detective Patrick! You have the potential of becoming a great Private Dick.

Curious to see how normal people are taking this, I looked it up on Google Trends. Sure enough, people are looking it up a lot, probably trying to figure out what to do, and even worse (for Sony) speculating on what has happened.

I just hope to God their encryption was as solid as they're suggesting.

don't worry everything will be alright.

Reporters are making this shit blow up. Nobody knows anything yet. I agree 100% that we should but how many times has it been reported that there wasn't encryption and that all your info was taken. Nobody even fucking knows yet. Way to jump the gun everybody.

Funny why they had to say " behind a very sophisticated security system"

seems to be giving a bit more credit to the hackers than I'd expect.

" Reporters are making this shit blow up. Nobody knows anything yet. I agree 100% that we should but how many times has it been reported that there wasn't encryption and that all your info was taken. Nobody even fucking knows yet. Way to jump the gun everybody.

My info is at risk potentially just like all of yours but this shit is getting out of hand. Its turned into Fox news all over my video games websites.

"

" @MooseyMcMan said:

" So, top men are on it? Hopefully?  "

"

What a terrible terrible mess. Personal Details and passwords stored in plain text unencrypted. Sloppy work.

If I wanted to get ripped off I would have bought a 3DS, thanks a lot Sony!

They still haven't given an answer to the most important question yet:

Why did it take them a week to tell users that their personal data might have been compromised and leave everyone in the dark in the meantime?  Even if they didn't have a solid yes or no answer from the start, they should have been more forthcoming with information.

Though I think this is being handled well considering the circumstances, I hope this serves as a wake up call to Sony about how it handles it's online service. This hasn't happened on xbox live, and Microsoft hasn't been removing features or jamming mandatory and overly restrictive firmware updates down it's users throats. I honestly don't think the almost constant headaches associated with PSN are really worth the service being free. I would much rather pay a price comperable to xbox live gold for this to not happen on Sonys next home console. I'm a recent ps3 owner, and I'm starting to wonder if Yakuza and Uncharted were really worth the hassle, or if I should have just saved my money.

I wanted to echo from my previous statement, (and somebody before), that most of your information can be found through legal means, such as real name, address, etc. The credit card stuff is the stuff people should be keeping an eye on.

What encryption did Sony use? I would like them to tell us that rather than just say the CC data was encrypted. 

Thanks Sony....it only took you a week and change to provide us with a decent response.

I seriously hope sony get's sued into the ground over this.

this belated Q/A on a goddamn blog/tweet account is bullshit.

It's all in how they've handled it AFTER the fact it happened as to why I hope they go down over it.  Not in that it happened in and of itself.  But you don't wait a fucking WEEK to say anything about it and just casually say "we don't know if your cc info was compromised" that long after a fucking hack.

what a goddamn bunch of idiots.  Rot in hell sony.

oh and before I'm pegged as a Sony hater..my main console is my PS3 and I love the thing.  Sony, as this shows, is just incompetent.

Thanks for the update!

No worries for me. I stopped updating just before they took away other OS support. Also never gave any credit card details.

Hopefully the CC info was secure enough to prevent someone from accessing it. I'm more optimisitic about the CC info now, but, we all pretty much know that it's a given all of our personal information provided to PSN has been compromised which still really sucks...

This was really supposed to be a banner year for Sony and the PS3, and now that has been completely tarnished by this nightmare situation for their brand. I do think that Sony and the Playstation as a product will, eventually, be able to recover from this but it is going to take a little while to wash this bad taste out of all of our mouths. This is terrible for Sony, but it is even worse for all of us who have to worry about our information being in the hands of some unsavory characters.

 If this were a videogame I bet it would be Nazi's who are behind this, it would have to be Nazi's, as hot as zombies are in the gaming world they don't have the capabilities to access a secure network. Unless it's Nazi zombies, OH SHIT, now I'm terrified.

A little IRC log for you all
 http://pastie.org/private/97oth9v5tspkiztwwdmnga
Okay, so they put the stored CC# in a encrypted db... after they receive it in plaintext through a HTTP GET request. So all that data is unencrypted in the log files of the server.

Answer #2 is loltastic; especially the last sentence.
   'behind a very sophisticated security system that was breached in a malicious attack'
They describe their security system as 'very sophisticated' TWO WORDS before saying it was completely compromised.

Also hilarious is that they are physically moving their data center. What, so they can hide it where the hackers can't find the building?

Japanese companies on the internet....

" @Rockdalf said:

" @MooseyMcMan said:

" So, top men are on it? Hopefully?  "

"

I want Sony to make an ad with Kevin Butler storming into basements and beating up hackers.  "

If the credit card information wasn't stolen, they would have triumphantly announced this days ago, instead of dancing around the issue and making excuses. Assume the worst.

" @Hailinel: 

Taken from the post 2 down from this one

  "There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised," said Seybold. "We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon."  

You might not *LIKE* this explanation, but it doesn't mean they haven't given one
   

"

Noteworthy that they didn't address passwords.  I guess they were part of that plaintext personal info table.

Before I clicked on this article, I knew Patrick wrote it just by reading the long, unnecessary title.

I already went through and changed all my passwords. I did this several months ago after Gizmodo lost mine. So I am tired of changing my passwords. 

While I don't put any blame on Sony for the initial breach of the network, I do agree that the manner in which they have handled the public relations piece and also in communicating with their community has been less than ideal.  Sony should have had more communications with the community throughout the weekend and not just provide us with once a day updates prior to yesterdays announcement.  

for the past week i didnt really care about the fact that PSN was down considering i stopped playing online and i wasnt playing the ps3 much anyways.  but now im regretting that i had a credit card to my account...  what if geohotz hacked the PSN all the way from south america?