It's hard to fathom how a company as big as Sony
could have such porous defenses, as the events in recent weeks have unfolded.
Since late April, Sony has experienced a complete loss of customer
records from its two largest international databases -- the PlayStation Network (PSN) database and
the Sony Online Entertainment (SOE) database.
Last week, the PSN network was briefly
reactivated and then shut down after yet another security flaw was discovered.
And Japan announced that it would not be allowing Sony's online services
to restart in its nation until the company showed proper proof that it had
significantly improved its security.
Now yet those pesky hackers have compromised another Sony online property.
I. Third Sony Database Breached
This week a poster dumped a pretty interesting archive to text sharing site
pastebin. The record appears to contain a dump of the user database from
Sony BMG in Greece.
Included in the post are usernames, real names, and email addresses.
The post was eventually attributed to The Hacker News, who says they
received the information from a hacker who goes by the handle
"b4d_vipera". The hacker appears to have redacted the
information from certain fields, including password, telephone number, and
user's company, though they claim to have this information.
In total 8,385 records were lost from SonyMusic.gr -- the website of Sony BMG
in Greece. The breach occurred May 5.
The attack was accomplished via an SQL Injection attack, a type of attack that
first originated in the 1990s. SQL Injection attacks are most commonly
used on large entities with multiple websites. The attacker finds SQL
databases on various sites of the target and then tests them by sending strings
that may be mishandled by the SQL Interpreter, allowing forbidden commands to
It is unclear whether the only Sony BMG in Greece was vulnerable or whether
Sony BMG sites in other nations could have been vulnerable as well.
Security software and services vendor Sophos gave some interesting analysis on
the breach in their Naked Security blog.
The blog suggests that the negligence likely wasn't the fault of Sony's
engineers on the design side. Writes Sophos's Chester Wisniewski:
As I mentioned in the Sophos Security Chet Chat 59 podcast at the
beginning of the month, it is nearly impossible to run a totally secure web
presence, especially when you are the size of Sony. As long as it is popular
within the hacker community to expose Sony's flaws, we are likely to continue
seeing successful attacks against them.
But Mr. Wisniewski says that Sony could have avoided these issues if had
hired experts to do thorough penetration testing (fake attacks that look to
simulate a malicious user to find and fix vulnerabilities). He writes:
The lesson I take away from this is similar to other stories we
have published on data breaches. It would cost far less to perform thorough
penetration tests than to suffer the loss of trust, fines, disclosure costs and
loss of reputation these incidents have resulted in.
He says that while Sony obviously is suffering from the barrage of attacks, at
the end of the day it may be forced into having the most secure design on the
market, much like Windows OS maker Microsoft Corp. (MSFT).
He comments, "While it's cruel to kick someone while they're down,
when this is over, Sony may end up being one of the most secure web assets on
II. The Cost to Sony
Richard Scott, a contributor of iconic infographics to BBC News and The
New York Times, has set his sights on Sony with his latest graphic.
It depicts an estimated cost to Sony of $24B USD.
That estimate comes from research by The Ponemon Institute, a data-security
research firm, who found that on average in 2010 a data breach cost a company
$318 USD per lost record in security, user protection, and legal costs.
That represents a 48 percent increase from 2009.
Forbes suggests the $24B USD figure, but that's only considering the
With the 24 million record SOE breach added in, the figure soars to
Sony is being conservative in its own cost estimates. Its financial
filings have indicated that the intrusions are clearly taking their toll on the
company -- it went from predicting a ¥70B ($855M USD) profit for the year
to now predicting a ¥260B ($3.14B USD) loss [source; PDF].
Sony blames much of that estimated loss on the earthquake (¥22B) and
The company say its expects only to have to pay ¥14B (about $172M USD) for
the PSN intrusion. This puts its expected expense per lost record at
about $2 USD per account.
It seems Sony may be a bit too optimistic here. If the industry average
is $318 USD per lost record, it'd be extraordinary for Sony to get away with
only paying $2 USD per record.
In 2010 Sony made $77.5B USD in revenue, with a $289M USD profit. If it
was forced to pay a $32.1B USD in total (based on the industry average) for the
breaches it could end up with a net loss of $35B USD or more for this year.
A $35B USD loss would be equivalent to approximately half the company's annual
revenue and equivalent to over 10 years in profit from relatively
"good" years. It remains to be seen exactly how dire the
financial situation for Sony gets, but one thing's for sure -- the picture
Sony is currently facing multiple class action lawsuits in the U.S.
and abroad from former customers.