[user2] cuz its way too easy todo scamming at this point

[user2] for example:

[user2] creditCard.paymentMethodId=VISA&creditCard.holderName=Max&creditCard.cardNumber=4558254723658741&creditCard.expireYear=2012&creditCard.expireMonth=2&creditCard.securityCode=214&creditCard.address.address1=example street%2024%20&creditCard.address.city=city1%20&creditCard.address.province=abc%20&creditCard.address.postalCode=12345%20

[user2] sent as plaintext

[user3] uh

[user3] did you censor that card?

[user2] ya its fake

[user3] good

[user1] wow, plaintext :S

[user5] plaintext wow

[user3] im never putting in my details like that

"Hey folks, they told Playstation Plus subscribers about this credit card thing last Thursday."
- Bookscout

"If Sony had required firmware updates hourly instead of daily, this never would've happened."
- MTV Multiplayer's Russ Frushtick

"PSN's down for a week, my credit card info might be stolen, but the most irritating thing about Sony's service is still the name 'Qriocity.'"
- Casey Malone

"PS3 Mortal Kombat exclusive: Kratos. Xbox 360 Mortal Kombat exclusive: being online."
-Andre Black Nerd

"BREAKING NEWS: Nintendo takes WiiWare/Virtual Console offline, just to see If anyone will even notice"
-GeorgeBray

For all of you Sony apologists, here is why this is a big deal.

Lets put everything into perspective.

December 2010: failOverflow/George Hotz hack the PS3.
January 2011: Sony files a lawsuit against failOverflow and George Hotz.
February 2011: PSN's network traffic is detailed. Personal information is stored locally and sent unencrypted to Sony via PSN.
April 2011: PSN is breached.

As a credit card merchant, Sony has some obligations. As defined in the Payment Card Industry Data Security Standard (PCI DSS) Sony is supposed to do the following:

1) Build and Maintain a Secure Network
2) Protect Card holder Data
3) Maintain a Vulnerability Management Program
4) Implement Strong Access Control Measures
5) Regularly Monitor and Test Networks
6) Maintain an Information Security Policy

[en.wikipedia.org]

They failed to do this.

The biggest weakness is Sony assumed that PSN was a private network. A network between a secure PS3 and PSN. How do we know this is Sony's assumption? Because in a detailed analysis of the network transmissions between a PS3 and PSN a hacker discovered that user credit card data was transmitted to PSN unencrypted.

[pastie.org] (See line 66)

Once the PS3 was hacked, PSN became an open/public network. With credit card information being sent unencrypted, it was only a matter of time before, on a limited basis, private data would be stolen. But the fact that Sony didn't encrypt the data was in violation of the PCI DSS agreement with credit card companies.

Sony knew in January what was at stake, we know this because when they filed the lawsuit against failOverflow and George Hotz, Sony invoked the Computer Fraud and Abuse Act. The act is exclusively used by financial institutions and the government to protect against hacking of banks, atms, credit card merchants and transaction processors, or government systems. It further defined the relationship between the PS3 and PSN in such a way by implying specific provisions of the law that George Hotz broke.

I know it's easy to sit there and say every network is hackable. While that's true to some degree, some networks are more difficult to breach than others. The fact that Twitter or Gawker got hacked is meaningless compared to a company that does financial transactions. Again, the whole idea of a company that follows the PCI DSS properly is that they won't get breached. In fact, since the release of the PCI DSS no company found in compliance with the PCI DSS has been breached.

Sony knew since January that user data was at risk, but it did little to nothing to secure that data. It knew that it couldn't close the hole that was created by failOverflow and George Hotz, that cat was let out of the bag despite "assurances" from hackers that it was secure with FW 3.56. The changes Sony is making to PSN today are changes Sony should have made to PSN months ago. The fact that they didn't was either negligence or wishful thinking on their part.

If the breach was only a breach of personal information, then Sony got lucky. However, if this was a breach of financial information and Sony clearly understood what was at stake back in January, then they have to explain why for three months they did nothing to secure their customers personal and private data.