A security analyst says that hackers are selling a database they say contains the credit card numbers and the three-figure security number associated with each card for 2.2 million users the Sony PlayStation Network.
As we reported earlier this week, Sony said that when hackers broke into its PlayStation Network, they took personal information and might have taken credit card information.
The New York Times adds:
Kevin Stevens, senior threat researcher at the security firm Trend Micro, said he had seen talk of the database on several hacker forums, including indications that the Sony hackers were hoping to sell the credit card list for upwards of $100,000. Mr. Stevens said one forum member told him the hackers had even offered to sell the data back to Sony but did not receive a response from the company.
Although several researchers confirmed the forum discussions, it was impossible to verify their contents or the existence of the database.
Sony for its part said in a blog post that the stolen data was encrypted:
The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Sony adds that while it asks for a CVC or CSC number (the three-digit security number on the back of credit cards) it does not "store them in our database."
Even if the credit card numbers are safe, reports Reuters, the incident could end up costing credit card companies $300 million:
Each customer request to replace a credit card would cost lenders about $3 to $5 per card, several analysts told Reuters on Wednesday and Thursday. Those costs would include the new piece of plastic itself, postage, and various customer service costs.
Sony's network hosts about 70 million accounts. The Washington Post reports that the FBI has started looking into the breach.