The Sony Playstation Network system breach is bad enough, but it's being made worse by Sony's response to the problem.
For those unfamiliar with the story of the breach of the Playstation Network by hackers, read this story for the details.
Bottom line: sometime in late April, 2011, hack or hackers unknown penetrated the Sony Playstation Network, making off with information about an estimated 70 million customers. While not the largest theft of customer data in history, it was worse in terms of what the hacker(s) stole:
The statement from Sony / PSN reads as follows: “name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained”. No small prize when you have 70 million+ of those details!
Bad enough, of course. But made worse by Sony's handling of the event.
Rather than tell the truth about what they knew as soon as they knew it, Sony first downplayed the extent of the problem, portraying it more as an "outage of certain Playstation functions" and promising to fix the problem quickly.
Only later, and in increasingly ambiguous statements, did Sony admit that the problem was severe--customer data was stolen, the hacker(s) were unknown, and Sony wasn't sure when the network would return.
Hearing on this part of the story, one might be led to believe that while Sony didn't handle its Public Relations very well, it were the unfortunate victim of a nefarious person or groups intent on stealing and reselling valuable data.
Well, it turns out that Sony was not the helpless victim, but the incompetent and/or careless holder of important consumer data that didn't take proper care or precautions to prevent a needless intrusion.
Here's what third parties have discovered, and what Sony has yet to comment on:
- Sony was running outdated, unpatched versions of the Apache web server for all Playstation services, including authentication (login) service
- Sony had these servers directly connected to the Internet, without firewalls or other security mechanisms
- The configuration of the Apache servers was naive allowing, for instance, the Apache server to report its version number and other information useful to a hacker
- All of these issues were discussed in open forums which Sony employees were known to monitor, at least two to three months before the hack occurred
These issues, and others, were reported on by security experts, including one who testified in front of a Congressional Committee (which Sony was invited to but refused to attend):
In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers—and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.
If true, this shows an unconscionable lack of concern for proper treatment of sensitive customer data on Sony's part. And something for which Sony needs to answer in a court of law.