Sony PlayStation Network Hack: A lesson for all of us

Within a few months, one of the world’s most outlandish hacker attacks seems to almost be forgotten.

It was just a few short months ago, when Sony faced a security breach that opened the eyes of people around the world. Their PlayStation Network (PSN) and their paid-for music-streaming service, Qriocity, had been hacked sometime between April 16 and April 19, 2011. It didn’t take Sony long to figure out they’d been hacked, and immediately shut everything down on April 20, 2011. At the time, over 55 million PlayStation 3 consoles (PS3) and PlayStation Portables (PSP) were affected by this shutdown. This shutdown (and the poor explanation by Sony of what caused the shutdown), caused panic by many Sony customers, because it was determined that approximately 77 million records of user data was compromised (i.e. stolen) by the hackers. In this case, 77 million records containing some combination of people’s usernames, passwords, credit card information, security answers, purchase history and addresses. In all, over 2.2 million credit card numbers were allegedly stolen. The hackers used this stolen information to hack into other popular websites, using personal details stolen from Sony, to obtain access to other accounts (think Ebay, PayPal, Google Mail, etc). People were outraged. The dust has yet to settle. Sony did encrypt credit card information, but not well enough to prevent theft, and Sony did nothing to protect non-credit-card information.

Now that it has been a few months since Sony PlayStation Network has come back online (hopefully, a lot more secure), it benefits us to look at the issues and see how it can be a lesson to all businesses who conduct some form of transaction on the Internet, or otherwise store personal information of their customers.

What Sony faced

Sony failed on multiple fronts. They allowed the personal information of their users (i.e. customers) to get stolen. They also failed to warn their customers, and delayed an announcement for days. The attack happened sometime between the 16th and the 19 of April, and Sony claims they didn’t discover the theft until the 19th, and then decided to shutdown their network on the 20th. It wasn’t until the 26th, that they informed the public with a public statement, indicating that “user account information was compromised in connection with an illegal and unauthorized intrusion into our network” and that they will try to have the system running within the week. It wasn’t until May 2nd, that they told the public how many credit cards and user data records had been stolen.

It didn’t take long for the attorneys to respond. By April 27th, the first lawsuit was filed against Sony. The lawsuit claimed Sony failed to take industry standard efforts to protect its network and personal information, including the failure to encrypt its data and having adequate firewalls. The lawsuit also claimed that Sony failed to adequately and promptly warn users of the breach. The lawsuit also claimed that Sony didn’t follow the Payment Card Industry security standard (i.e. PCI and SDP), which requires that companies do not store components of cardholder data, and treat the rest of the cardholder data with certain standards. As of this blog article, Sony faces many other lawsuits and threats from UK, US, Canada, Australia, and China.

The costs to Sony

Sony had to fork out a significant financial sum to fix the problems, and deal with damage control. At last report, this fiasco alone was ending up at around $171M out of Sony’s pocket, not including the costs associated with defending against (and possibly paying judgements) on the lawsuits brought against them.  This sum includes the costs of a generous apology package, in which Sony offered a “welcome back” program that gave its users free games, a month of free PlayStation Plus, 100 virtual items on PlayStation Home, “On Us” movie rentals, and for current Music Unlimited Premium members, 30-days no charge use. Sony also offered a 12-month free identity protection program for anyone affected by the data theft. It was a nice gesture of Sony, but it didn’t stop their stock from plummeting 10% in the first week of the outage, and as of this Blog article, Sony’s stock is over 33% down from its high in the March-April timeframe.

Who did this to Sony?

In the UK, a 19-year-old male was arrested, who claimed to have connections with the perpetrators behind the Sony attack. This 19-year-old is also suspected to be part of the computer hacking group, Lulzsec. Lulz Security, or Lulzsec, is responsible for many high profile attacks, including taking the CIA website offline, compromising user accounts for Sony Pictures, and posting a fake story on the Public Broadcasting System’s (PBS) website. Lulzsec has also been releasing personal data off random or targeted websites, in an effort to force these websites to enhance their security. For example, they released secure details about some of Arizona’s law enforcement, in an apparent protest against that State’s anti-immigration reform. Re-read that bolded text you just read. It doesn’t create much of an emotional response, does it? However, take a look at the actual data (note: We have changed the information, to protect the officers):

1) Steven G. Kissya  #3011, Highway Patrol Division, [email protected], password: corina, 1234 S. Warrior Drive, Safford, Az 85546
   wife: Stephanie Kissya ([email protected]), cell: 928-123-4567, home: 928-123-4567
2) Steven Lomelipia #4847, [email protected], password: hl85648, 1234 W. Sunrise Drive, Nogales, Arizona 85621, cell: 520-123-4567
3) Larry D Turnstun #91326, [email protected], password: amostex, 12345 E Woodstock, FLAGSTAFF, AZ 86004-0000, home: (928) 123-4567

These “records” above are claimed to be representative of MILLIONS of records. What is the chance they have your account information, too? Seeing this information, at least for me, really invokes an emotional response. With nothing more than the careless or inadequate security precautions taken by my online vendors (i.e. Sony), I potentially open myself (and my businesses) to attack.

Lulzsec did announce their intention to retire, when they released a “50 Days of Lulz” statement to the public, saying that Lulzsec was made up of six people and that their website is to be shut down and their hacking efforts were to retire. Too bad, then, when they returned on July 18th, 2011, with attacks on British newspaper websites, The Times and The Sun. And, even if Lulzsec did retire, there are other hacker groups and individuals out there doing the same thing. For example, google the group “Anonymous.”

The lessons for all of us

As individuals, no matter how careful we are, if we use online services, we shall be (or probably already are) compromised. We can make it difficult for these hackers, by taking at least the following precautions:

• Use a different password for EVERY website, while still attempting to make the password hard to guess (i.e. no dictionary words, random character mix).
• Change your passwords frequently. Once a month is ideal, and change them now, since you haven’t done it in awhile. Don’t forget to change the passwords needed to read email.
• Only provide the most minimal amount of information necessary to get a transaction done. Name. Address. CC info. Don’t do business with businesses who require more information.
• Make sure, when giving information to a website, that it is a secure transaction (i.e. SSL security). Depending on your browser, there will be a way to tell. Google this, and become familiar with it.
• NEVER email sensitive information, ever.
• In fact, start encrypting all your email. Google “pgp email encryption” for more information.
• NEVER, ever, download and install software from anyone — unless it is a well-known and trusted source (i.e. Apple, Microsoft, Oracle, Symantec, Norton, etc). And no, your family member, coworker or friend isn’t a trusted source either. They know less about computers than you do.
• Keep your software on your computer up-to-date. If it’s running slow, you’re probably already hacked. Take your computer into your local computer store, get it wiped, and start over.
• Obtain regular credit reports, and check your credit religiously.

As businesses, we can learn from Sony’s misfortune. First, whether you want to or not, you need to invest well in (1) security and (2) security professionals. You cannot simply rely on the out-of-the-box security you get when you utilize that “one-size-fits-all” software you’re using for your customers. For example, websites and shopping carts. You need to keep this stuff up-to-date, and make sure you have the latest “patches” to prevent security problems from creeping into your offering.

Second, you really do need to think about “industry best practices.” That includes PCI and SDP standards when accepting credit cards. Make sure your vendors are PCI/SDP compliant. Do not leave sensitive information around, unprotected. Disgruntled employees are your greatest danger, so make sure you only give access to sensitive customer information on “a need to know basis” only, and make sure you do background checks on key employees or those employees who will have access to sensitive customer information. Also, don’t just put one person in charge. Make sure there is another person who is in charge of finding problems, to hold the other accountable.

Third, make sure you have an appropriate “Terms of Service” and “Privacy Notice” associated with your business, and stick with it. When a problem does occur — and it will, rest assured — make sure you disclose early and often to your customers, so they in turn may take steps to mitigate their damages. Write a good Terms of Service, then stick with it. Make sure you have the right policies and procedures to support your Terms of Service, and always make sure you are prepared for the worst.

Law 4 Small Business (L4SB). A little law now can save a lot later.