A new report from PC World asserts that Sony could have done more to prevent the<"http://www.yourlawyer.com/topics/overview/Sony-PlayStation-Network-Security-Data-Breach-Class-Action-Lawsuit"> PlayStation Network breach. Some also criticized Sony for the way it handled the aftermath of the PlayStation Network hack.
The security breaches have hit three of Sonyâ€™s networks â€“ the PlayStation Network, Qtriocity and Sony Online Entertainment (SOE) services. The companyâ€™s servers were hacked sometime between April 17 and 19. Sony discovered the hack of the PlayStation Network and Qtriocity services on April 19, but didnâ€™t make a public announcement until April 26. Sony announced earlier this month that the SOE service had also been breached. The services remain offline while Sony works to improve its security.
More than 100 million people have had their personal information compromised by the attacks. About 12 million account holders worldwide had credit card information on file with the networks, but Sony canâ€™t confirm if that information was accessed. However, various media outlets have reported that parties purporting to be the hackers have offered credit card information for sale on underground online forums.
Sony already faces at least two class action lawsuits over the security breach, one in the U.S. and one in Canada. Among other things, both lawsuits seek to compel Sony to pay for credit monitoring for affected customers.
According to PC World, Gene Stafford, a computer security professor at Purdue University, testified during a House Subcommittee on Commerce, Manufacturing, and Trade used an outdated version of the Apache Web server software, and had no firewall installed. Stafford said the issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches.
Not surprisingly, Sony has denied Stafford’s allegations, but he’s not the only one questioning the company’s security precautions prior to the attack. Stan Stahl, president of the Los Angeles chapter of the Information Systems Security Association, told PC World that Sony’s assertion that the hack was, in part, the result of an earlier denial-of-service attack, indicates Sony’s security approach was outdated.
Steve Santorelli, director of outreach for Team Cymru, a nonprofit security research company in Chicago, pointed out that companies like Sony need to invest more in stopping attacks.
“If you’re a big enough target, you’re going to have a lot of very talented people with a lot of resources and time hammering away at your systems,” he said.
Others are criticizing Sony for its actions after the hack, and for not having a process in place to respond to such a data breach.
“Everyone was assuming that Sony, being Sony, would have their act together,” Mike Meikle, CEO of IT consulting firm Hawkthorne Group, said, “and I think that’s what’s annoying people more than anything.”