WASHINGTON, Dec 6 — Back in 2011, Sony Corp spent heavily to upgrade its computer systems and fix all known security holes following a cyber attack that took down its PlayStation Network. That protection fell short when the company’s film division was assailed three years later.
The defensive steps companies take after an attack typically have a short shelf life because hackers are constantly inventing new ways to infiltrate computer systems even as their motives shift between thievery and maliciousness.
“Unfortunately, lessons learned by organisations such as Sony are no longer valid even two years after being breached,” Carl Wright, general manager for TrapX Security, said in an e-mail. “We should expect to see every enterprise, government and commercial alike, to be the recipient of multiple attacks.”
In the 2011 breach at Sony, criminals stole personal information, including e-mail addresses, birthdates and login information, on 77 million customers of the company’s PlayStation Network and Qrocity video- and music-streaming service. The attack disrupted service, prompted an apology and cost Sony US$171 million (RM598m).
At the time, the company had many security problems, and its network was compromised in multiple places and by multiple groups, said a person involved with an internal investigation.
Free movement
A key weakness was that few security measures existed between the computers of the Japanese company’s divisions around the world, so hackers could move with relative ease throughout the corporation, said the person, who asked to remain anonymous because the information is confidential.
The most recent attacks suggests Sony hasn’t done enough since the last episode. The company put itself and others at risk by not putting passwords or encryption on the files that would have made them more difficult for hackers to open, according to Todd Feinman, chief executive officer of Identity Finder LLC, a New York-based provider of data management software.
The hackers released 601 files that included more 47,000 Social Security numbers, Feinman said in a telephone interview. Many were associated with actors and other workers not directly employed by Sony, including celebrities such as Conan O’Brien, Rebel Wilson, Sylvester Stallone and Judd Apatow.
18 files
More than 15,000 people, most of them current and former employees, had additional data leaked, including their home address, date of birth or salary. That information makes them particularly vulnerable to thieves. Some 18 files had more than 10,000 Social Security numbers in them, Feinman said.
“You wouldn’t normally see such a large amount of confidential information unprotected,” Feinman said. “You would think there would be additional controls. There shouldn’t be additional files that contain the same data. You’re giving the hackers 18 times as much chance to get the data.”
A spokesman for Sony Pictures declined to comment.
Amid a rash of hacking attacks, companies have poured money into firewalls, network-surveillance services and other cyber- security technologies. The outlays have helped fuel a market whose worldwide revenue is expected to reach US$72 billion this year, according to data from Gartner Inc.
Pouring money
The spending is in response to escalating threats from cyber-spies, financially motivated criminals and hacktivists, who have stepped up campaigns to steal trade secrets and damage reputations with data leaks, website defacements and in the case of the Sony attack, even taking the extreme step of erasing all the information on victim computers.
Once a company has been breached, however, it’s often difficult to know if all of the hackers’ tools have been purged to stop them from coming back, security consultants say. Even if security is exemplary, the networks of large corporations face relentless assaults, many of which prey on humans prone to clicking on bogus e-mails.
“It doesn’t matter how much money a company spends on infrastructure or technology,” said Richard Henderson, a security strategist for Fortinet Inc’s FortiGuard Labs. “Until you close the human gap in the equation, you are always vulnerable to attacks.” — Bloomberg
