Navigation

Sony data breach update reveals 'bad practices' By Emily Chung, CBC News

May 03, 2011

The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters

Cybersecurity specialists are asking pointed questions about the way Sony manages customers' sensitive information, based on new details about its massive data breach.

Chester Wisniewski, a Vancouver-based senior security advisor with the computer security firm Sophos, said Tuesday that he was shocked when Sony disclosed Monday that an "outdated" 2007 database of credit and debit card data was among the information that may have been stolen from players of the EverQuest duology, Free Realms, and other massively multiplayer online games in the company's Sony Entertainment Online division. The data breach affecting that division's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users.
Sony said there was no evidence its main credit card database for Sony Entertainment Online, kept in a "completely separate and secured environment," was compromised.

'If the credit card numbers are no longer valid, then why is Sony still keeping them?'— Avner Levin, Ryerson University

"So you're going, 'Oh, the main database was well protected — this was just an old one that was laying around,'" Wisniewksi said. "Why is decommissioned personal information, and especially financial information, just on the network?"

Sony made no mention of whether the database, which affects customers outside the U.S., was encrypted, implying that it was not, Wisniewski suggested.

Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University in Toronto questioned why the database exists at all. "If the credit card numbers are no longer valid, then why is Sony still keeping them?" he asked. He said some credit cards in the database may not have expired yet. For cards that have expired, cybercriminals may be willing to find out their new expiry dates through trial and error: "It's not that difficult and they could get lucky." The database also contained direct debit records listing bank account numbers of more than 10,000 customers in Germany, Austria, Netherlands and Spain.

"Whether Sony's bad practices are an act of hubris or simply gross incompetence is hard to discern," Wisniewski wrote on Sophos's Naked Security blog Tuesday. "It is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe." Lack of encryption questioned

In an interview with CBC News, he noted that Sony had previously disclosed that its PlayStation Network credit card database was encrypted, but other personal information was not.

What is hashing?
Hashing is a method commonly used to protect passwords. The technique involves using a cryptographic algorithm to automatically generate a string of characters from a given password. That string of characters – not the password itself - is stored in a database by companies like Sony. Each time a user is asked for his or her password, the algorithm is applied and the string of characters is re-generated. It is then compared to the string of characters in the database.

"If you've got the technology to be able to encrypt my credit card, why wouldn't you encrypt all of my personally identifiable information?" Sony clarified on its PlayStation blog Monday that user passwords were protected using a method called hashing, which isn't strictly encryption, but makes use of a cryptographic algorithm.

Wisniewski said that may or may not do a good job of protecting user passwords depending on the type of hashing used. He likened it to a lock on a door: "Did you put in a deadbolt or just a cheap little doorknob you buy at Canadian Tire?" He suggested the passwords are some of the most valuable information stolen, as many people use the same passwords for multiple accounts, including email and Facebook. Those accounts can in turn be used to retrieve or change other passwords.

Wisniewski said the ultimate damage suffered by customers depends on who launched the cyberattack against Sony. The attackers may be politically motivated and simply wanted to make Sony look bad as revenge for alleged wrongs against hackers in the past. But if they are criminals trying to make a profit, they may sell the data in parcels to other criminals all over the world for the purposes of committing fraud or other crimes. "Either way, Sony's already taken their lumps," Wisniewski said. "Let's hope that their customers don't have to pay the price as well."

PREVIOUS POSTS
Mar 11.11 | Assume you’re always under attack’: experts By: Liam Lahey On: 11 Mar 2011 For: ComputerWorld Canada

Enterprises must make a conscious decision about what information we’re prepared to lose, said an exec with security vendor Symantec. Why companies are missing the mark with security risk management read more

Oct 26.10 | ‘Spear-Phishing’ Attacks Keep on Giving by Kim Zetter, wired.com

‘Spear-Phishing’ Attacks Keep on Giving

* By Kim Zetter read more

Sep 16.09 | Web server attacks, poor app patching make for nasty mix Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats By Gregg Keizer September 15, 2009 03:44 PM ET

Web server attacks, poor app patching make for nasty mix
Jump in site hacks, lazy Adobe, Sun, Apple program patching to fuel online threats
By Gregg Keizer
September 15, 2009 03:44 PM ET read more

Jul 02.09 | Heartland breach cost $12.6 million, CEO says

By Robert Westervelt, News Editor 07 May 2009 | SearchFinancialSecurity.com

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems. read more

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

Jul 25.08 | Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. read more

Feb 25.08 | MONERIS SOLUTIONS LAUNCHES NEW E-PHILANTHROPY INITIATIVE WITH C.N. WYLIE GROUP!

Moneris’ new eSELECTplus® payment tool will be used with Wylie’s Helpforcharities.com Web site so organizations can easily accept electronic contributions and purchases online
read more

Jan 18.08 | Silent Banker Trojan..Banking in Silence

Beware the Silent Banker Trojan which sits quietly between your computer and your online banking to steal away payments. It can silently change the user-entered destination bank account details to the attacker's account details instead. read more

ARCHIVE