Sony hasn’t had a good year for network security, but it is finally getting its act together when it comes to notifying customers about breaches.
Late Tuesday, the company’s chief information security officer reported on the Sony blog that the company detected a break-in attempt of massive proportions.
Philip Reitinger, Sony’s senior vice president and chief security officer, said that hackers engaged in a large-scale attempt to log into Sony’s customer accounts, and that the attack succeeded in accessing 93,000 of them around the world. Those accounts have since been locked down. Sony isn’t saying who it thinks is behind the most recent hacking attack.
The company is also reaching out directly to affected users, who “will receive an email from us [Sony] at the address associated with your account that will prompt you to reset your password.”
Hopefully, those email addresses have different passwords than the Sony network accounts.
The attacks were undertaken on the Sony Entertainment Network (SEN), Sony Playstation Network (PSN) and Sony Online Entertainment (SOE), the same three networks that had been successfully hacked on multiple occasions earlier in 2011, collectively compromising the information of over 100 million accounts.
According to Reitinger, the current situation is now under control. As he writes on the Sony blog:
Less than one tenth of one percent (0.1%) of our PSN, SEN and SOE audience may have been affected. There were approximately 93,000 accounts globally (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them. Please note, if you have a credit card associated with your account, your credit card number is not at risk.
Still, Sony’s response this time is a marked difference from the company’s seven-day-delay before informing the public of a now-legendary hack on its Playstation Network in April, which compromised some 77 million accounts, including “names, addresses and possibly credit card data,” as Reuters reported.
Three “Anonymous” suspects were arrested in Spain in June in connection with the incident.
That attack, supposedly undertaken in retaliation for Sony’s suit against a Playstation device hacker, also left the PSN offline for nearly a month.
After it was back online, Sony’s CEO Howard Stringer defended his company’s response time, telling The New York Times, “We reported quickly.”
Sony was later named in a class action lawsuit and investigated on Capitol Hill. Testimony in that investigation revealed Sony was running outdated software and had no firewall in place on its web servers.
Defunct hacker collective LulzSec, a splinter off Anonymous, which initiated a separate hack against Sony Entertainment Network in June, later posted the usernames and passwords of 1 million account holders. Sony later notified 37,500 users individually that their information could have been among the compromised accounts. Lulzsec denied it was involved in the earlier Playstation Network hack, and two suspects thought to be among its suspected members were arrested, one by UK police in July and by the FBI in late September.
In response to these incidents and subsequent lawsuits, Sony controversially revised its terms of service for Playstation Network users on September 15, forcing them to waive their rights to initiate class action legal claims against Sony in the event of future hacks (a contractual trick that was possible thanks to a Supreme Court ruling in favor of AT&T in April).
Meanwhile, PC World’s Matt Peckham is taking issue with the semantics of the latest incident. As he writes:
“A hack involves gaining unauthorized access to data in a system. Unless Sony’s not telling us something, it sounds like all these folks gained (fleeting) access to the purchase power of a relatively small number of Sony online accounts…
Again, the semantics matter here. Had Sony been truly hacked, we’d be talking about another dismaying flaw in their cybersecurity setup. Instead, we’re talking about the fallout from a prior attack, in which hackers seized and reportedly released Sony user account-related information.”
That said, this was definitely a punishable hack attempt according to U.S. law. The Federal Computer Fraud and Abuse Act defines violators, in part, as anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…-
information contained in a financial record of a financial institution, or of a card issuer…” which certainly applies in this case.
Furthermore, as Reitinger notes, the attackers attempted to “to test a massive set of sign-in IDs and passwords against our network database. These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources. ” So in order to use the already compromised information, the attackers had to run a script that would automate the account sign-in process.
Congress is currently debating a raft of data breach legislation aimed at making companies more responsible and accountable when it comes to guarding customer data, but it’s unclear whether any of the bills have enough traction to be made into law this year.
TPM will continue to track the developments in this case, stay tuned.
