Yesterday was a big day for Sony in a number of different ways.
What should have been good news was tempered a bit as well. According to a story at the LA Times, "The Welcome Back package Sony promised last month alongside ID-theft insurance isn't yet available in the online storefront." This continued delay will likely irritate a number of Playstation Network (PSN) users who keep being thanked by Sony for their patience in light of the inconvenience of both the hack attack and its own delayed response in preventing any further harm that may stem from the attack.
In addition, Sony and Epsilon - which had a breach of its own earlier this year - testified yesterday about the details of their individual hack attacks before the US House Energy and Commerce Committee's Subcommittee on Commerce, Manufacturing, and Trade. Both companies defended their IT security and customer breach notification processes.
"Despite taking what we believe were extremely appropriate and substantial steps to build a safe and protected network, hackers were able to get into our network."
"We believe the security we had was very, very strong and we were in good shape."
Of course, Mr. Schaaff didn't say what benchmark Sony was measuring against when he claimed the Sony's network security was "very, very strong." Many IT security folks - and especially hackers - have not been impressed by Sony's security measures pre- or post-hack attack.
Sony and Epsilon both said that they supported some sort of federal legislation that would create a uniform national standard for data breach notification (see Sony's congressional testimony (PDF) here and Epsilon's testimony (PDF) here. Mr. Schaaff also gave some issues to consider as the law is being crafted:
"Laws - and common sense - provide for companies to investigate breaches, gather the facts, and then report data losses publicly. If you reverse that order - issuing vague or speculative statements before you have specific and reliable information - you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."
Overlooking the fact that this statement was a backdoor way of again justifying Sony's extremely slow notification of its customers about the PSN hack, the ideas highlighted by Mr. Schaaff have merit and should be contemplated.
Finally, as I mentioned, Sony's new IT security measures have not impressed hackers much. To drive home the point, reports first surfaced last night and seem to be confirmed today that a hacking group by the name of Lulzsec has stolen detailed information from 1 million "users who entered Sony competitions run by its Pictures Entertainment web site," this article at the International Business Times reports.
The information includes "names, birth dates, addresses, emails, phone numbers and passwords" the IBT story says.
Lulzsec claims that it hacked into Sony's network to show how vulnerable the company still is to simple cyber attack vectors.
If this keeps up, I am going to have to start developing a "Sony got hacked" blog post template.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.