Print 56 comment(s) - last by BansheeX.. on May 25 at 4:36 AM

Another day, another Sony site hacked.  (Source: The Hacker News)
This time the stolen Sony database is from a Greek Sony property

It's hard to fathom how a company as big as Sony Corp. (6758) could have such porous defenses, as the events in recent weeks have unfolded.  Since late April, Sony has experienced a complete loss of customer records from its two largest international databases -- the PlayStation Network (PSN) database and the Sony Online Entertainment (SOE) database.  

Last week, the PSN network was briefly reactivated and then shut down after yet another security flaw was discovered.  And Japan announced that it would not be allowing Sony's online services to restart in its nation until the company showed proper proof that it had significantly improved its security.

Now yet those pesky hackers have compromised another Sony online property.  

I.  Third Sony Database Breached

This week a poster dumped a pretty interesting archive to text sharing site pastebin.  The record appears to contain a dump of the user database from Sony BMG in Greece.

Included in the post are usernames, real names, and email addresses.  

The post was eventually attributed to The Hacker News, who says they received the information from a hacker who goes by the handle "b4d_vipera".  The hacker appears to have redacted the information from certain fields, including password, telephone number, and user's company, though they claim to have this information.

In total 8,385 records were lost from -- the website of Sony BMG in Greece.  The breach occurred May 5.

The attack was accomplished via an SQL Injection attack, a type of attack that first originated in the 1990s.  SQL Injection attacks are most commonly used on large entities with multiple websites.  The attacker finds SQL databases on various sites of the target and then tests them by sending strings that may be mishandled by the SQL Interpreter, allowing forbidden commands to be executed.

It is unclear whether the only Sony BMG in Greece was vulnerable or whether Sony BMG sites in other nations could have been vulnerable as well.

Security software and services vendor Sophos gave some interesting analysis on the breach in their Naked Security blog.   The blog suggests that the negligence likely wasn't the fault of Sony's engineers on the design side.  Writes Sophos's Chester Wisniewski:

As I mentioned in the Sophos Security Chet Chat 59 podcast at the beginning of the month, it is nearly impossible to run a totally secure web presence, especially when you are the size of Sony. As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them.

But Mr. Wisniewski says that Sony could have avoided these issues if had hired experts to do thorough penetration testing (fake attacks that look to simulate a malicious user to find and fix vulnerabilities).  He writes:

The lesson I take away from this is similar to other stories we have published on data breaches. It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in.

He says that while Sony obviously is suffering from the barrage of attacks, at the end of the day it may be forced into having the most secure design on the market, much like Windows OS maker Microsoft Corp. (MSFT).  He comments, "While it's cruel to kick someone while they're down, when this is over, Sony may end up being one of the most secure web assets on the net."

II. The Cost to Sony

Richard Scott, a contributor of iconic infographics to BBC News and The New York Times, has set his sights on Sony with his latest graphic.  It depicts an estimated cost to Sony of $24B USD.

That estimate comes from research by The Ponemon Institute, a data-security research firm, who found that on average in 2010 a data breach cost a company $318 USD per lost record in security, user protection, and legal costs.  That represents a 48 percent increase from 2009.

Forbes suggests the $24B USD figure, but that's only
considering the PSN breach.  With the 24 million record SOE breach added in, the figure soars to $32.1B USD.

Sony is being conservative in its own cost estimates.  Its financial filings have indicated that the intrusions are clearly taking their toll on the company -- it went from predicting a ¥70B ($855M USD) profit for the year to now predicting a ¥260B ($3.14B USD) loss [source; PDF].  Sony blames much of that estimated loss on the earthquake (¥22B) and other factors.

The company say its expects only to have to pay ¥14B (about $172M USD) for the PSN intrusion.  This puts its expected expense per lost record at about $2 USD per account.

It seems Sony may be a bit too optimistic here.  If the industry average is $318 USD per lost record, it'd be extraordinary for Sony to get away with only paying $2 USD per record.

In 2010 Sony made $77.5B USD in revenue, with a $289M USD profit.  If it was forced to pay a $32.1B USD in total (based on the industry average) for the breaches it could end up with a net loss of $35B USD or more for this year.

A $35B USD loss would be equivalent to approximately half the company's annual revenue and equivalent to over 10 years in profit from relatively "good" years.  It remains to be seen exactly how dire the financial situation for Sony gets, but one thing's for sure -- the picture isn't pretty.

Sony is currently facing multiple class action lawsuits in the U.S. and abroad from former customers.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By JasonMick on 5/23/2011 10:14:59 AM , Rating: 5
However, Sony is one of the most arrogant tech companies in the world. How many times have they burned the consumer (Blu-ray, Rootkit, MemoryStick, PS3 Homebrew, etc.)?

The true victims are the poor customers who trusted Sony.

Agreed. One of the big lessons here is to not display arrogance towards those who programming and security skills are your equal or better.

Your comment was a bit over general (I don't know how much I agree about your Blu-Ray and MemoryStick part), but when it comes to homebrews on the PS3, the open source community tried to reach out to Sony and convince it to leave in a route to preserve their work.

But Sony was adamant into stomping out the platform it created for the console in the first place. And Sony sued one of the highest profile and most beloved hardware hackers, George "GeoHot" Hotz for publishing the console's root keys and a jailbreak procedure.

In the end, much like Nick Denton's harassment of the hackers of Anonymous cost his sites' and his users' privacy, Sony's arrogance towards hackers has proved financially disastrous.

Companies need to remember it doesn't matter how "bad" or "evil" they think hackers are, at the end of the day, if those hackers despise your company due to your actions and have the talent to break your defenses, that's all that matters.

Punishments may eventually be dealt out, but that will be far too late to salvage Sony's bottom line.

RE: I would normally feel sympathy for the company
By cpeter38 on 5/23/2011 11:45:10 AM , Rating: 3
Specific issues:

Blu-ray - 1.) the DRM issue mentioned above. 2.) Cost - $9 licensing fee per read only player; $0.11 licensing fee per read only disk (more for recording units/disks); 3.) Licensing complexity - they are still working on a one stop shop for licensing

MemoryStick - 1.) Proprietary (compatibility issues) 2.) Licensing costs

Sony has used their dominant market position to force the adoption of these proprietary formats. This makes sense for Sony. They derive a significant amount of income from the licensing fees. Unfortunately, the consumer does not get a significantly superior product for the increased costs. Was Blu-ray significantly better than HD-DVD (when they were first launched)? Would you argue that MemoryStick or MemoryStickPro is significantly superior to SD?

By Yoshino Kurokawa on 5/23/2011 1:48:11 PM , Rating: 2
So - how does this differ from the rest of the industry? I can name at least a dozen companies that employ some sort of proprietary identity, DRM and/or licensing tripe at this point - not to mention the last decade.

Can't single out Sony on this if you're not willing to employ equal weight to all players, as it sounds less an opinion than one looking to add his fire to the riot. Let's have some issues specific to Sony before you light the funeral pyre - eh?

By tng on 5/23/2011 3:05:33 PM , Rating: 1
Yes there are other companies out there that do these things, the problem is that virtually none of these companies (with the exception of Apple) are so in your face with them.

Sony has frankly screwed itself with the PS3 Homebrew, here it is, now it is not and we will prosecute attitude....

RE: I would normally feel sympathy for the company
By Conner on 5/23/2011 1:21:10 PM , Rating: 2
Hacking is illegal. I don't like this statement because it seems you are giving legitimacy to these "hacking communities".

and Robin Hood was a tyrant.....

Not everything is cut-and-dry. I'm for people governed by people, not EULAs!

By liem107 on 5/23/2011 4:20:18 PM , Rating: 2
Nothing is a clear cut but maybe Robin did not resell users personnal details and credit cards details for his personnal enrichment...but how in this case did the hacking benefit to sony s clients? This hacking is purely criminal and this is a clear cut.

"It looks like the iPhone 4 might be their Vista, and I'm okay with that." -- Microsoft COO Kevin Turner

Most Popular ArticlesAMD, Zen Processor might power the upcoming Apple MacBook Pro
September 30, 2016, 5:00 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Are you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Apple’s Siri Speaker is a Game Changer
September 26, 2016, 5:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki