Ronnie05's Blog

Sony Data breach: User backlash and lessons in security

Posted in Industry updates by Manas Ganguly on May 4, 2011

The data breach at Sony obviously has left the corporation a bit shaken and stirred and on its part Sony has been trying to make good on the losses both on credibility and services. While, Customers will get complimentary downloads and 30 days of free premium services as a make good, it raises fundamental questions on user-data security. A few questions to be answered in transparency by Sony are

1. Even though, the initial analyses saw that Credit card data wasn’t stolen, what kept Sony waiting for 7 days before they made this event public. The ensuing 7 days did not record any fraudulent activities but then the possibility of frauds in these 7 days were the maximum. All that Sony did was to shut down its Playstation network on learning of the crime which stopped further leaks but did not address lost information adequately.
2. Sony probably did not pay enough attention to security when it was developing the software that runs its network. In the rush to get out innovative new products, security can sometimes take a back seat. Also, New software has errors in it. So they expose code with errors in it to large numbers of people, which is a catastrophe in the making. Sony would have to do with explaining the lack of adequate security in guarding sensitive information.
3. Data storage is categorized into sensitive credit card information which is given higher class of access security versus other details such as name, password, age, gender, family details etc. These layers in security may cause larger ripples in terms of individual email based phishing scams and attacks. ALL USER DATA NEEDS TO BE ACCORDED FORTRESS SECURITY SET UP.
4. The second data breach has reportedly happened from a 2007 out-dated database. If that be the case, the question arises how is out-dated data treated and accorded security. Shouldn’t that be well secured as well?

Sony has been more forthcoming on the security breaches given that bulk of attacks on corporate and governmental computer networks go unreported because victims want to avoid the embarrassment and public scrutiny that come with acknowledging that their systems have been hacked. In many cases companies seek to keep the matter quiet by telling individual customers of the problem without issuing a public statement like the one from Sony this week. For example, 85 percent of some 200 companies in electricity-producing industries said that their networks had been hacked, according to a survey released this month by security software maker McAfee Inc and the non-profit Center for Strategic and International Studies. Yet utilities rarely disclose such attacks. In many cases, intrusions go undetected by the victim company, leaving the firm and its customers completely unaware that criminals have access to their sensitive data.

The hacking of Sony Corp’s PlayStation Network,Sony Online entertainment, Qriosity and has earned a place in the annals of Internet crime. It is one of the biggest online data infiltrations ever and is a sign that the industry may face new threats. It also serves a reminder that as we move into the digital world, we put more and more of our digital identity into the cloud, or digital devices … Security is going to be a tremendously important part of what we do. Payments security is evolving along with intelligent devices, like smartphones and contactless cards, and technologies such as NFC. Security standards and their up gradation is a key component to maintaining data privacy and data integrity.

%d bloggers like this: