Sony seems to be living a nightmare this week. In a statement made today to Reuters they acknowledged another Sony property had been attacked by malicious hackers and more data stolen and published.
Even more embarrassing was the fact that the stolen information was published on a Sony web server that reportedly is part of Sony Electronics.
The information disclosed contained names and partial addresses of Sony customers who had participated in a 2001 sweepstakes. Sony’s comment is as follows:
“The website was out of date and inactive when discovered as part of the continued attacks on Sony,”
This appears to be a partial repeat of what they disclosed in their second statement acknowledging that Sony Online Entertainment had been compromised. “Don’t worry it was old data on a forgotten server.”
I spoke with John Moe from Marketplace Tech Report on National Public Radio (NPR) last Wednesday. We discussed how long most organizations keep this kind of information and whether there are any regulations requiring it to be protected or deleted. You can listen to it here:
(4 May 2011, duration 4:00 minutes, size 1.9MBytes)
In an organization as large as Sony the hackers targeting them may be able to continue to find low hanging fruit… Unpatched old equipment at any of the various Sony subsidiaries could continue to embarrass Sony publicly.
Meanwhile, Sony Playstation Network users are starting to get quite impatient as they await the return of the online gaming service.
In this case Sony is certainly doing the right thing. It is better to be offline and identify what must be done to return the service to a secure state than to simply turn it back on and allow attackers to target even more data.
Remember arcades? You can “chat” while competing and you even might see the sunshine when you leave the house. It will be okay gamers, soon enough you will be able to return to your couches.
Creative Commons image of an arcade courtesy of Sam Howzit’s Flickr photostream.