Sony has seen more than its fair share of data breaches this year. The trouble began in April when the electronics titan suffered one of the largest account hijacking attacks of all time, potentially affecting as many as 100 million PlayStation Network and Sony Online Entertainment accounts. The breach was so extensive that Sony was forced to shut down its online gaming services for almost a month to rebuild its network with better security.
But that wasn't the end of Sony's cybersecurity woes. In the following months, the company was also struck by a breach to a music entertainment service in Greece, an account hijacking attack to an internet service subsidiary in Japan, two smaller incidents in Indonesia and Thailand and an attack on SonyPictures.com.
So it was understandable that the data security community and industry observers collectively rolled their eyes this week when Sony revealed that it had once again been targeted by yet another cyberattack.
Similar to the April incident, the most recent cyberattack affected the PlayStation Network and Sony Online Entertainment, as well as the Sony Entertainment Network. Once again, the incident involved an attempt to hijack accounts, forcing Sony to freeze some of its online gaming services temporarily.
The difference this time around, though, is that Sony seemed prepared.
According to a statement from the company, it had detected "a large amount of unauthorized sign-in attempts" to these three services. Sony admitted that around 93,000 accounts appeared to be hijacked successfully and were subsequently locked down as a result.
While 93,000 is no number to bat an eye at, it is a far cry from the 100 million accounts compromised in the previous incident. Furthermore, this latest attack didn't require the company to shut down its services entirely – a move that would've likely ended up costing the company millions.
So what did Sony do right this time around? How did it manage to avoid yet another corporate blunder in what has been a dismal year for cybersecurity?
First of all, it should be noted that Sony is not the only company to suffer account hijacking incidents. These types of attacks are fairly common, and global enterprises like Google, Microsoft, Yahoo and others constantly have to deal with similar threats.
A report released this week by Barracuda Networks found that more than 10 percent of social media users believe their accounts have been hacked at some point. Additionally, online email services, such as Gmail and Hotmail, are often subject to these types of incidents.
Sony, it seems, has simply become the critic's punching bag this year when it comes to account hijacking – and not without reason. Following the April data breach, Sony CEO Howard Stringer admitted that his – or any – company cannot guarantee protection from data breaches. In an interview with the Wall Street Journal, he opined that the PlayStation Network would never be "100 percent secure."
“It’s the beginning, unfortunately, or the shape of things to come,” Stringer told the news provider. “It’s not a brave new world; it’s a bad new world.”
But the company that many assume has a target on its back has made significant attempts to thwart these attacks and has actually seen some positive results.
In May, representatives from Sony appeared before the U.S. House of Representatives Subcommittee on Commerce, Manufacturing and Trade, claiming that it would take "a number of steps to prevent future breaches." Included in these steps were the decision to move Sony's data center to an undisclosed location, improvements to data protection and encryption levels, enhancements to the ability to detect software intrusions and unauthorized user patterns and the appointment of a new chief information security officer, which took place in September with the hiring of former U.S. National Cyber Security Center director Philip Reitinger.
True to Stringer's words, despite these moves, Sony was unable to guarantee that consumer information would be safe, and the latest attack only served to emphasize this point.
Where, then, was Sony successful in mitigating these breaches? First of all, the damage in this latest breach was significantly less severe than in previous incidents. According to Sony's press release, no financial information was threatened as a result of this attack. Furthermore, less than one-tenth of the services' users were at any risk.
The company was also prompt in notifying those affected of the breach. Following the April attack, Sony was criticized for delaying to inform the public that it had been breached. This time, no such issue was raised. In its release, Sony said it would email affected account holders in the coming days and require that they reset their passwords. The company is also conducting an investigation into the incident.
Those affected, as well, can learn from Sony's woes. In a post on the PlayStation Network blog, Reitinger speculated that it's possible an outside source was compromised and provided cybercriminals with the information they needed to hack these 93,000 accounts.
"In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our networks," Reitinger stated.
This suggests that user's should be mindful of their online activities, and should vary their username-password combinations as often as possible.
This isn't to say that there isn't room for improvement on Sony's part. The excuse that "these things happen" isn't likely to allay the concerns of those affected by any data breach. But Sony has demonstrated that it has learned a lesson or two from previous incidents, and its openness regarding this latest situation is apparent. So clearly work is needed on both sides to protect against future breaches.
Security News from SimplySecurity.com by Trend Micro