Sony data breach update reveals 'bad practices'
By Emily Chung, CBC News
Posted: May 3, 2011 2:43 PM ET
Last Updated: May 3, 2011 3:23 PM ET
Related
External Links
- Naked Security: Sony admits breach larger than originally thought
- Sony Online Entertainment security update
- PlayStation blog
(Note:CBC does not endorse and is not responsible for the content of external links.)
The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/ReutersCybersecurity specialists are asking pointed questions about the way Sony manages customers' sensitive information, based on new details about its massive data breach.
Chester Wisniewski, a Vancouver-based senior security advisor with the computer security firm Sophos, said Tuesday that he was shocked when Sony disclosed Monday that an "outdated" 2007 database of credit and debit card data was among the information that may have been stolen from players of the EverQuest duology, Free Realms, and other massively multiplayer online games in the company's Sony Entertainment Online division.
The data breach affecting that division's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users.
Sony said there was no evidence its main credit card database for Sony Entertainment Online, kept in a "completely separate and secured environment," was compromised.
'If the credit card numbers are no longer valid, then why is Sony still keeping them?'— Avner Levin, Ryerson University
"So you're going, 'Oh, the main database was well protected — this was just an old one that was laying around,'" Wisniewksi said. "Why is decommissioned personal information, and especially financial information, just on the network?"
Sony made no mention of whether the database, which affects customers outside the U.S., was encrypted, implying that it was not, Wisniewski suggested.
Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University in Toronto questioned why the database exists at all.
"If the credit card numbers are no longer valid, then why is Sony still keeping them?" he asked.
He said some credit cards in the database may not have expired yet. For cards that have expired, cybercriminals may be willing to find out their new expiry dates through trial and error: "It's not that difficult and they could get lucky."
The database also contained direct debit records listing bank account numbers of more than 10,000 customers in Germany, Austria, Netherlands and Spain.
"Whether Sony's bad practices are an act of hubris or simply gross incompetence is hard to discern," Wisniewski wrote on Sophos's Naked Security blog Tuesday. "It is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe."
Lack of encryption questioned
In an interview with CBC News, he noted that Sony had previously disclosed that its PlayStation Network credit card database was encrypted, but other personal information was not.
"If you've got the technology to be able to encrypt my credit card, why wouldn't you encrypt all of my personally identifiable information?"
Sony clarified on its PlayStation blog Monday that user passwords were protected using a method called hashing, which isn't strictly encryption, but makes use of a cryptographic algorithm.
Wisniewski said that may or may not do a good job of protecting user passwords depending on the type of hashing used. He likened it to a lock on a door: "Did you put in a deadbolt or just a cheap little doorknob you buy at Canadian Tire?"
He suggested the passwords are some of the most valuable information stolen, as many people use the same passwords for multiple accounts, including email and Facebook. Those accounts can in turn be used to retrieve or change other passwords.
Wisniewski said the ultimate damage suffered by customers depends on who launched the cyberattack against Sony. The attackers may be politically motivated and simply wanted to make Sony look bad as revenge for alleged wrongs against hackers in the past.
But if they are criminals trying to make a profit, they may sell the data in parcels to other criminals all over the world for the purposes of committing fraud or other crimes.
"Either way, Sony's already taken their lumps," Wisniewski said. "Let's hope that their customers don't have to pay the price as well."
Share Tools
Top News Headlines
- Canadian Pacific strikers face back-to-work legislation
- Labour Minister Lisa Raitt is prepared to end the Canadian Pacific Railway strike if necessary, after both CP and the union rejected a proposal for voluntary arbitration by the government-appointed negotiator on Sunday. Raitt says she is "extremely disappointed." more »
- Syrian regime denies role in Houla massacre
- The UN Security Council condemned the Syrian regime at an emergency meeting Sunday, holding president Bashar al-Assad's military responsible for the massacre of more than 100 people, dozens of whom were children younger than 10 years old. more »
- Ryder Hesjedal wins prestigious Giro d'Italia
- Victoria native Ryder Hesjedal has become the first Canadian to win one of the cycling world's three Grand Tour events, wrapping up the 2012 Giro d'Italia with an excellent performance in the final stage in Milan. more »
- Neighbour may have helped find missing kids in Mexico
- Two Winnipeg children who had been missing for nearly four years were found in Mexico after a man raised concerns about his neighbour, according to a private investigator. more »
Latest Technology & Science News Headlines
- South Africa, Australia to share world's largest telescope
- South Africa and Australia will jointly host the Square Kilometre Array, which promises to be the world's largest telescope, the international consortium in charge of the project said Friday. more »
- Bonavista, N.L., 'coyote' was really wolf, tests confirm
- Wolves have not been seen in Newfoundland since around 1930 and were believed to have been hunted to extinction on the island, but genetic tests have confirmed that an 82-pound animal shot on the Bonavista Peninsula in March was, in fact, a wolf. more »
- Once-rare argus butterfly thriving thanks to climate change
- Global warming is threatening the existence of many species, such as the giant polar bear, but in the case of Britain's brown argus butterfly, it took a species in trouble and made it thrive. more »
- Yahoo scraps digital magazine designed for iPad
- Yahoo has killed Livestand, a tablet magazine, just six months after its debut on the iPad. more »
Bob McDonald's Blog
Government to shut down unique fresh water research area May. 25, 2012 12:31 PM The Experimental Lakes Area research facility in Northern Ontario is being closed down after 44 years of providing invaluable data to scientists in Canada and internationally, a decision that has stunned researchers and environmental groups.
Quirks & Quarks
- May 26: Before the Lights Go Out May. 25, 2012 4:15 PM A new book, "Before the Lights Go Out: Conquering the Energy Crisis Before It Conquers Us", suggests that the unpredictable, unplanned, ad-hoc way our energy use developed in the past will shape our energy future.
Latest Features
- Seniors float above Montreal's Quartier Latin
- Accused in blast that killed Alberta mom handled her funds
- Remains found in bag on Cape Breton river ID'd
- Neighbour may have helped find missing kids in Mexico
- Quebec students and province to resume talks
- Lip-dub marriage proposal an internet hit
- Syrian regime denies role in Houla massacre
- B.C. NDP calls for unity in fighting coast guard closure
- Canadian Pacific strikers face back-to-work legislation
