Sony has been on the spotlight recently, all for the wrong reasons. In April 2011, Sony’s Playstation Network was taken offline by a massive DDOS attack for 23 days.
During this time Anonymous stole the details of 77 million subscribers at a cost reputed to be 171M USD. This was only the beginning, for the rest of 2011, there were a further 20 reported data leakage or security breaches. Unencrypted, passwords and sensitive information of their clients were stolen. Websites were defaced and services rendered slow or unavailable by DDOS attacks.
It would be unfair and unrepresentative to just highlight Sony’s bad luck with hackers, except that they did react in any meaningful way to the initial attacks. The same attack vectors, same attack techniques were used weeks later on another part of the company.
Which brings us to the biggest loss of sensitive information and IP (intellectual property) in November 2014. History repeats itself. Sony did not learn from its previous breaches.
A team of hackers calling themselves the Guardians of Peace broke into the Sony network and have claimed to have stolen 100 Terabytes of information. 40 Gigabytes have been released into the “wild” which included salary information, social security numbers, layoff strategies, over 6000 employee details and encryption certificates. Four unreleased films and unpublished scripts were also put into the public domain.
What does that tell us ?
The obvious, there is no corporate vision for security at board level and minimal respect for their clients or employees. Even the repeated loss of income hasn’t piqued their interest.
Further reading
- Sony’s 2011 financial losses
- Summary of Sony’s 2011-2014 security breaches
- Sony 2014 data breach
- Sony’s certificates used to sign malware (2014)