Sony Ill Prepared for PlayStation Network HackMay 13, 2011 | Parker Waichman LLP
Sony wasn't prepared for last month's PlayStation Network hack, according to new report from PC World. Sony is facing criticism for outdated security, as well as its apparent lack of a plan for acting in the wake of a breach.
“Everyone was assuming that Sony, being Sony, would have their act together,” Mike Meikle, CEO of IT consulting firm Hawkthorne Group, told PC World, “and I think that’s what’s annoying people more than anything.”
At a congressional hearing earlier this month, Gene Stafford, a computer security professor at Purdue University, testified that Sony used an outdated version of the Apache Web server software, and had no firewall installed. According to his testimony, this was known on an internet forum "monitored by Sony employees” two to three months prior to the recent security breaches. Sony denies the allegations.
Sony has said that it believes the hack had its origins in a denial of service attack. Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, told PC World that indicates Sony’s security approach was outdated.
The Sony PlayStation Network hack has now grown to ensnare more than 100 million users of the PlayStation Network, Qtriocity and Sony Online Entertainment (SOE) network. Sony learned on April 19 that the PlayStation Network and Qtriocity services had been compromised, but did not inform users until April 26. On May 2, it announced that information belonging to users of the SOE service had also been accessed. The information that was hacked includes credit card numbers, addresses, user names and any other contact info. The networks have been down since Sony discovered the breach.
Initally, Sony only offered its customers 30 or 60 day free memberships on its PlayStation Network. But the company has since said it would foot the bill for a year’s subscription to the AllClear ID Plus identity theft prevention service. The monitoring service includes a $1 million insurance policy to cover any losses due to identity theft.
Sony already faces at least two class action lawsuits over the security breach, one in the U.S. and one in Canada. Among other things, both lawsuits seek to compel Sony to pay for credit monitoring for affected customers.