Sony PlayStation Network Hack Is Just The Beginning Of Giant Data Thefts: Experts

NEW YORK -- Howard Stringer, the CEO of Sony, apologized to customers Thursday for the "inconvenience and concern" caused by an attack on Sony's computing system last month that compromised the private data of more than 100 million customers and prompted the company to shut down several of its services. "I know this has been a frustrating time for all of you," he wrote in a letter posted on Sony's PlayStation blog Thursday night. "We are absolutely dedicated to restoring full and safe service as soon as possible and rewarding you for your patience."

The "frustrating time" that Stringer referred to began on April 20, when members of the network team at Sony Network Entertainment America discovered that there had been an "unauthorized intrusion" into their systems. As Kazuo Hirai, Sony's executive deputy president, wrote this week in response to questions from a congressional subcommittee, the network team found evidence that a hacker, or hackers, had "transferred" data off the PlayStation Network, a service that connects users of the video-game device to each other, to Sony and to outside companies like Netflix.

There had been a theft, in other words. Sony shut down the PlayStation Network system and the media-streaming service Qriocity, which had also been hacked, and began what Hirai called "the exhaustive and highly sophisticated process" of assessing the damage.

After a six-day period of silence that had customers seething with frustration on message boards and blogs and in the press, Sony said that the intruders had stolen passwords and other information from some 77 million accounts. This was later revised to over 100 million accounts, 12 million of them containing unencrypted credit card numbers. More than two weeks after the breach, millions of PlayStation customers are still waiting for the network to come back online, and the identity of the hackers remains unknown.

Very little is known about the theft so far, at least outside of Sony. Aside from Hirai's letter to Congress and his appearance at a press conference in Tokyo on Sunday, Sony has resisted discussing what happened, citing concerns about an ongoing investigation.

Sony and the three security firms whose services it has enlisted to get to the bottom of the theft -- Guidance Software, Protivity, and Data Forte -- declined to comment on the case.

Yet the breach ranks as one of the biggest in history, and its sheer scope raises questions with far-reaching implications, not just for the millions of people who play games or download movies on Sony's PlayStation Network but for anyone who's ever recorded personal information on the Internet.

This theft could be symptomatic of a larger problem, and raises questions of how thefts like these happen and why companies haven't been able to prevent them.

Experts in Internet security say Sony is far from the only company vulnerable to data theft, and without improvements to web security we can expect hacks like this to happen again.

Joshua Corman, a research director for the 451 Group, a company that provides information to Internet technology entrepreneurs, called the Sony situation a "perfect storm." Although it's still unclear what caused the breach, he cited a range of possible factors. First, he said, there's the fact that the cybercriminal underground has become more serious, sophisticated, and widespread in recent years. The first generation of cybercriminals has matured and grown more specialized, and a new breed of hacker has come on the scene.

"There's the old adage that you don't have to run faster than the bear, you just have to run faster than your buddy," said Corman. "But there are lot more bears now, and they're hungrier."

Then there's the activist hacker group Anonymous and the lingering questions about its role in the attack. Shortly before Sony detected the data breach, Anonymous made headlines when members carried out "distributed denial-of-service" attacks on the company. In a "distributed denial-of-service" attack, hackers bombard or "nuke" a server with messages, essentially flooding the server's lines of communication and knocking it offline.

Anonymous had conceived the attack as a show of solidarity with George Hotz, a 21-year-old hacker whom Sony had sued for manipulating PlayStation devices so that they could be used for running software that the company hadn't approved. When Sony investigated the data theft, it found a file on one of the compromised servers labled "Anonymous." Inside was the group's slogan, "We Are Legion."

Anonymous denied responsibility for the theft, noting in a statement posted on DailyKos that "standard online thieves would have every reason to frame Anonymous in order to put law enforcement off the track."

Even so, the group may have inadvertently contributed to the theft through its denial-of-service attacks, simply by distracting Sony from its ordinary security duties, as Sony claims. And either way, according to Corman, the mere suggestion that Anonymous may have played a role points to the increasing prominence of ideologically motivated attacks, a further complication in the cyber-security landscape.

Corman also viewed the theft as a symptom of inadequate security at companies across the web, not just Sony. "We have indefensible infrastructure," he said, "which was okay for a time, but now that there are more attackers, and more motivated attackers, we're all sitting ducks."

Corman noted the gap in technological strength between hackers and the companies they hack.

"The adversary community that is financially motivated is getting better at their jobs," he said, whereas, "the defenders are doing almost identical security defenses as they were doing in 2003."

Geoff Webb, the director of product marketing for Credant Technologies, a vendor of encryption technology, alluded to one possible reason why the defenders might be lagging behind. "People don't get rich by deploying security technology," he said. "Companies have to ask themselves, 'How much am I prepared to do to reduce pain -- potential pain -- in the future?'"

Until recently, Webb said, companies more or less got away with lax security. But thanks to a spate of recent incidents like this one, including a massive security breach at the marketing firm Epsilon that came to light in April, that's beginning to change. "We are seeing organizations very rapidly think about, well, 'How do I protect information?'" he said. "Consumer tolerance and legislative tolerance [are] wearing thin."

Michael Sutton, the head of research and development at Zscaler, a company that specializes in securing information stored online, said that Sony was "just the latest in an increasingly long list of corporations" that appeared to have been targeted by "very motivated, very focused, and likely well-funded hackers."

"If you have a determined adversary they will find a way in," he said, "unless you have the absolute best security controls." He added, "In most of these cases, we're finding that these security controls were not the best they could have been."

Developers and providers of online security technology aren't the only people sounding off about the need for tighter controls. In her opening statement at a Wednesday hearing on data theft held by the House Subcommittee on Commerce, Manufacturing and Trade, Rep. Mary Bono Mack (R-Calif.), the chair of the committee, proclaimed that Americans "need additional safeguards to prevent identity theft" and promised to "introduce legislation designed to accomplish this goal."

She said that the Sony theft was shaping up to be the "Great Brink's Robbery" of data breaches, and argued that it was part of a larger trend.

"Last month alone, some 30 data breaches at hospitals, insurance companies, universities, banks, airlines and governmental agencies impacted nearly 100 million records," she said, citing the Privacy Rights Clearinghouse. "And that's in addition to the massive breaches at Epsilon and Sony."

At a second hearing Thursday, Eugene Spafford, a Purdue University professor who oversees a campus institute concerned with computing-security issues, backed up Bono Mack's sentiments.

In his testimony, Spafford suggested that the prevalence of online security breaches could partly be attributed to "the increase in sophistication of attackers, and the growth in data." But only partly. He said he'd concluded that "operators of these systems -- both in government and the private sector -- continue to run outmoded, flawed software, fail to follow some basic good practices of security and privacy, and often have insufficient training or support."

Echoing Webb of Credant technologies, he stated bluntly, "The most commonly cited reason for these failings is cost."