Hackers successfully broke into 93,000 accounts at Sony over the last few days, once again impacting users of the Sony Entertainment Network, PlayStation Network (PSN) and Sony Online Entertainment services.
Sony’s cloudburst, Facebook controversy, FBI takedown, Armenia cut off – 90 Sec News – April 2011
Don’t just read the latest computer security news – watch it in 90 seconds!
This month: Sony suffers a cloudburst, Facebook courts controversy (again), the FBI busts the Coreflood botnet and Armenia gets cut off from the internet.
Watch and enjoy:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
Or listen to the podcast:
10 May 2011, duration 2:11 minutes, size 2.1MBytes
Sony admits breach larger than originally thought, 24.5 million SOE users also affected
Sony disclosed today that the breach affecting its PlayStation Network (PSN) that saw 77 million records lost was larger than they originally thought. Not only were the details of PSN users stolen, but another 24.5 million records related to users of Sony Online Entertainment were stolen as well.
Sony Online Entertainment (SOE) is the division of Sony responsible for many of their popular online role-playing games like DC Universe Online and Star Wars: Clone Wars Adventures. As in the PSN breach, the lost information included names, addresses (city, state, zip, country), email addresses, gender, birthdates, phone numbers, login names and hashed passwords.
In news perhaps worse than the disclosure from two weeks ago, Sony is saying that 12,700 credit and debit cards and expiration dates of non-US customers and 10,700 direct debit accounts (bank account numbers) for users in Germany, Austria, Netherlands and Spain may also have been stolen.
Unlike the credit cards from PSN, which Sony assured the public were encrypted, no mention was made in Sony’s press release about the information from SOE being protected.
Sony was quick to note that the passwords had been hashed, but has not disclosed which hashing algorithm was used and whether they used a salt when calculating the hashes.
Sony mentioned that the lost credit/debit card information and direct debit banking information was stored in an “outdated database from 2007.”
WHAT??!?! How many locations on your network are housing other “lost” financial data? Do you even know where my information is to check whether it has been stolen?
Whether Sony’s bad practices are an act of hubris or simply gross incompetence is hard to discern. Let’s hope for the sake of Sony’s customers and the poor souls in their public relations department that this is the last disclosure they will need to make related to this incident.
It is important to remember that Sony is a victim as well, not just the 101.5 million customers whose personal information have been disclosed. Malicious attacks like this are a serious crime, it is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe.
For more information on how to keep your data safe, visit our Data Loss and Regulations site to download free tools, papers and other advice on keeping your data safe.
