Yeah, possibly. I thought it was encrypted, then unencrypted, then sent out as unencrypted by hackers. Not too sure, so you should probably get your security info from twiz.
Doing a little searching (this is the first link I clicked from my first search actually), I came across this:
http://pastebin.com/pazcH1mp
(It comes from a comment on Kotaku, which I cannot find.)
QUOTEFor all of you Sony apologists, here is why this is a big deal.
Lets put everything into perspective.
December 2010: failOverflow/George Hotz hack the PS3.
January 2011: Sony files a lawsuit against failOverflow and George Hotz.
February 2011: PSN's network traffic is detailed. Personal information is stored locally and sent unencrypted to Sony via PSN.
April 2011: PSN is breached.
As a credit card merchant, Sony has some obligations. As defined in the Payment Card Industry Data Security Standard (PCI DSS) Sony is supposed to do the following:
1) Build and Maintain a Secure Network
2) Protect Card holder Data
3) Maintain a Vulnerability Management Program
4) Implement Strong Access Control Measures
5) Regularly Monitor and Test Networks
6) Maintain an Information Security Policy
[en.wikipedia.org]
They failed to do this.
The biggest weakness is Sony assumed that PSN was a private network. A network between a secure PS3 and PSN. How do we know this is Sony's assumption? Because in a detailed analysis of the network transmissions between a PS3 and PSN a hacker discovered that user credit card data was transmitted to PSN unencrypted.