Sony’s Security Woes Continue

Even as Sony finally brings its PlayStation Network (PSN) back online after a massive security breach that began in April, it still remains a tempting target for hackers.  In recent days there have been at least three Sony related incidents.

Sony has shut down a website that had been set up to allow users to reset their passwords in the wake of the initial breach.  The site had a “security hole” that could have allowed someone who already had the breached personal data from the original incident to hijack user’s accounts.  The security hole on the password reset page allowed anyone with a user’s date of birth and email address to reset the password for that account holder.

In another attack, a Sony owned Internet Service Provider, So-Net Entertainment Corp., was hacked compromising email accounts and customer rewards.   The breach resulted in about $1,200.00 stolen from So-Net accounts.  Also, a Sony Thai website was hacked and set up to run a phishing site.

While the recent attacks are much smaller in scope than the PSN attacks that may have exposed the personal information of over 100 million Sony customers, clearly hackers smell blood in the water.  The continuing attacks indicate that the massive publicity generated by the PSN incident is a hacker’s dream.

As Sony scrambles to plug its security holes and stay ahead of the hackers, there are lessons to be learned for all businesses.  Although post-incident communications must be made to re-establish credibility and trust with customers, avoid definitive public statements crowing about new security measures.  Otherwise, hackers feel challenged and the target on your back only grows bigger.

In fact, Sony’s CEO, Howard Stringer, is probably already regretting his statement exclaiming that ”we are up and running, and we are safer than ever.”  There is a fine line between reassuring customers and inviting further hacks.

  • Theodore J. Kobus III, Esq.

    ….and it continues. Today, we have reports that Sony BMG in Greece was hacked and usernames, real names, and email addresses were uploaded by an anonymous user to pastebin.com. The link to the report is here:

    http://nakedsecurity.sophos.com/2011/05/22/sony-bmg-greece-the-latest-hacked-sony-site/

    Pastebin.com is a web application that allows a user to post text for public viewing. The author of the above article describes it as kicking someone when they are down…I think it is more like a mischief of mice bringing down an elephant.