How Security savvy are Sony?

as a user of Sony's services i was too reading their slow ebb of information this week, being progressively shocked by facts such as passwords could be read by a hacker, thus were stored “in the clear”, the final nightmare of credit card numbers being obtained is again a fuzzy read between the lines “it should be ok” as the data “is encrypted somehow”. Perhaps the endless pages of the end user agreement required when you sign up should mention such facts, such as how Sony actually intend to protect your data on their systems, rather than all the “get out of jail free” statements of the usual end user agreements

Now we have reports that perhaps the credit cards weren't all protected by strong encryption, and that the hackers have a database that includes 2.2 million credit card numbers, and that they are hoping to sell the credit card list for upwards of $100,000 (courtesy of NY Times & Trend Micro).

Listening to the recording of the Sony press conference on Sunday, they eventually confirmed that the passwords were 'hashed' - but no details are forthcoming regarding what they were hashed with, or if they were salted, citing the need to keep some security details secret from the hackers.

They did announced that they are going to recruit a Corporate Information Security Officer - so presume they didn't employ one up to now?

Sony disclose an earlier breach compromised 25 million accounts with Sony Online Entertainment.

In a statement, Sony said credit card details and other personal information such as names, home addresses, e-mail addresses, dates of birth, phone numbers and gender information had been pillaged.

Additionally, direct debit details of around 10,700 customers in Austria, Spain, the Netherlands and Germany were stolen, as were the credit or debit card details of some 12,700 non-US customers. Sony said that this data was taken from an outdated 2007 database which may no longer be usable.

If it was no longer usable, then why haven't they deleted it?

However, if it was me, then I'm still using the same Bank Account I was using in 2007, so that makes the Account still 'live' and holding funds, and with the rise of Debit Cards valid for 3/4 years, then who is to say that the 2007 records have expired yet?

Anyway, simply increment the Expiry Date, and for those transactions that don't even ask for the CVV Security Code, you're in business.

PCI-DSS 3.1 states "Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes"

Well once you've been paid by the Credit Card Issuer / Direct Debit Bank, why keep the data longer than say 3 months, rather than 3 years?

So even if Sony did a self-assessment, I don't think they can hand on heart say that they were PCI-DSS compliant as far as this particular database was concerned.

I think the Sony disinformation was a complete mess.  It doesn't look they they were even attempting to be PCI compliant, and so the question is what will the industry do about that?  Probably nothing again, if Sony fall into the category of 'too big to touch'?  Sounds familiar.

I understand at least 12 Sony sites have been compromised, sort of ongoing thing with imitators abounding.

Sony while great with the electronics, never struck me as very forward thinking when it came to the interwebs.

I'd expect Tepco #Fukishima type public information flow, if you know what I mean.