Analysis: What's so special about Sony's massive data breach?

BOSTON Thu Apr 28, 2011 4:14pm EDT

A man walks on a floor advertisement for Sony Corp's PlayStation 3 game console at an electronic store in Tokyo April 27, 2011. REUTERS/Yuriko Nakao

A man walks on a floor advertisement for Sony Corp's PlayStation 3 game console at an electronic store in Tokyo April 27, 2011.

Credit: Reuters/Yuriko Nakao

Related Topics

BOSTON (Reuters) - The hacking of Sony Corp's PlayStation Network has earned a place in the annals of Internet crime.

That's partly because of the massive size of the data breach -- information about 77 million customer accounts was stolen. It is also because Sony bothered to disclose the attack at all.

The bulk of attacks on corporate and governmental computer networks go unreported because victims want to avoid the embarrassment and public scrutiny that come with acknowledging that their systems have been hacked.

Companies fear that their stock price might take a hit or that their brand might be damaged after news of an intrusion, said Jerry Dixon, a former government official who was instrumental in setting up the U.S. government's crime-fighting Computer Emergency Readiness Team.

"Everybody's network is getting hammered all the time," said Dixon, director of analysis at Team Cymru, a non-profit security research group.

Sony shut down the network on April 19 after discovering the breach, one of the biggest online data infiltrations ever. But it was not until Tuesday that the company said the system had been hacked and that users' data could have been stolen.

In the United States, several members of Congress seized on the breach, in which hackers stole names, addresses and possibly credit card details. One U.S. law firm filed a lawsuit in California on behalf of consumers.

Democratic Senator Richard Blumenthal of Connecticut called on the Justice Department to investigate the matter.

The FBI launched an inquiry and urged anybody with information about the attack to contact an agency hotline (+1 858-565-1255).

CODE OF SILENCE

Experts say that many companies only disclose break-ins when they are required to do so by government regulations that say they must tell customers whose data was compromised.

In many cases companies seek to keep the matter quiet by telling individual customers of the problem without issuing a public statement like the one from Sony this week. (bit.ly/kik7DC)

The publicity over the break-in has exposed Sony to global legal scrutiny, with officials from Hong Kong to London and Washington looking into the breach.

Sony's PlayStation Network, a service that produces an estimated $500 million in annual revenues, provides access to online games, movies and TV shows. Nine out of 10 of PlayStation's users are based in the United States or Europe.

Security experts say that companies that are attacked remain silent most of the time.

For example, 85 percent of some 200 companies in electricity-producing industries said that their networks had been hacked, according to a survey released this month by security software maker McAfee Inc and the non-profit Center for Strategic and International Studies. Yet utilities rarely disclose such attacks.

One in four of those companies in the McAfee/CSIS study reported that they had been victims of extortion campaigns from hackers who had broken into their networks. (tinyurl.com/3vgp5us)

In many cases, intrusions go undetected by the victim company, leaving the firm and its customers completely unaware that criminals have access to their sensitive data.

"Everybody's data is at risk. We've all got to worry about our personal information, wherever it may be," said Josh Shaul, chief technology officer for Application Security Inc.

SPEAR "PHISHING"

Sony said it had encrypted all credit card numbers, which would make it extremely difficult for hackers to access that data. But criminals might use other personal information that was not encrypted to launch scams.

With birthdates, email addresses and home addresses, hackers can launch spear "phishing" attacks that are targeted at those individuals.

Spear phishing refers to attacks that are customized to each individual target. Hackers draft emails that contain enough personal information to persuade the victim to let down their defenses, which can be enough to get them to click on a link that downloads malicious software onto their personal computer. (Additional reporting by Jeremy Pelofsky. Editing by Kenneth Li and Robert MacMillan)

FILED UNDER: