On Friday, eWeek reported that the massive Sony Playstation Network data breach could have been avoided if Sony had used basic online data security measures:
"Sony failed to use firewalls to protect its networks and was using obsolete Web applications, which made the company’s sites inviting targets for hackers, a Purdue University professor testified May 4 to a Congressional committee..."
Consumer Reports reported much of the same:
"In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers—and knew about it months in advance of the recent security breaches..."
Between the two Sony PSN and SOE breaches, about 102 million consumers worldwide have been affected. Sony has arranged for 12 months of complimentary credit monitoring service via Debix for breach victims in the United States. Sony is currently notifying breach victims of the June 18 deadline to enroll in the Debix AllClear ID Plus program. Sony has not disclosed the number of breach victims in the United States, nor what credit monitoring service will be offered to breach victims outside the United States.
This past week, Congress held hearings about the Sony and Epsilon data breaches. In a letter from Sony to the U.S. Congress, the company stated that it had experienced a Distributed Denial of Service (DDoS) attack before the data breaches. Sony claimed that this DDoS attack and the sopistication of the data breach made breach detection difficult to spot. When I read this, it sounded like Sony could not walk and chew gum at the same time. I expect much more from a multi-billion dollar corporation.
A response from Congressional Representative Mary Bono Mack (Republican - California), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, included this:
"Like their customers, both Sony and Epsilon are victims, too. But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits enter. E-commerce is a vital and growing part of our economy... these latest cyber attacks, they serve as a reminder – as well as a wake-up call – that all companies have a responsibility to protect personal information and to promptly notify consumers when that information has been put at risk..."
I view Mack's statement as too mild when the scope and severity of the breaches demand a stronger response. Mack could have emphasized more than just the need for fast breach notification of consumers. Consumers didn't cause this breach. While fast notificaton helps consumers somewhat, the best solution -- breach prevention -- lies with the corporation.
Massive breaches like Sony's will continue as long as companies act fast, loose, and sloppy with data security of consumers' sensitive personal data. Massive breaches like this will continue as long as the costs to upgrade data security outweigh the costs of any penalties. There have to be penalties for companies that repeatedly experience data breaches, and/or use obsolete data security software and methods.
It appears that in Sony's case, the company's sloppy data security made it easy for criminals to steal sensitive consumer information. 12 months of free credit monitoring is not enough, because the threat of criminals using stolen identity and bank data doesn't magically stop after 12 months. 5 or 10 years of complimentary credit monitoring service would be better. And, the cost of providing breach victims with free credit monitoring services is small compared to other post-breach expenses.
When companies offer a short, 12-month period of free credit monitoring, that effectively transfers the burden -- time and money -- to consumers from month 13 on. Even though consumers didn't cause this breach, consumers end up spending time and money long-term to monitor and protect their accounts long after the free credit monitoring period has ended.
What do you think?
I enjoy reading a lot and your stories are worth reading, nice blog, keep it up.
Posted by: digital rights management systems | Thursday, May 12, 2011 at 01:50 AM
I'm surprised that Sony had there defenses and firewalls down with outdated software. Don't ruin your credit! Make sure you guard everything closely to keep that credit score up.
Posted by: Bobby Flan | Wednesday, October 05, 2011 at 10:30 PM
Kind of pathetic that a company as rich as Sony wouldn't have the best security available as opposed to basic which would have prevented the breach and what they really had was ineffective
Posted by: Ian Worrall | Sunday, February 12, 2012 at 10:59 AM
If you carry a laptop or other important documents in your briefcase, you may be wondering if there's a high tech way to secure it. Keys can be stolen (and let's face it: key-locks are so last century), but it's a little harder to steal someone's fingerprints.
Posted by: Security Jobs | Wednesday, April 18, 2012 at 06:33 AM