Sony Computer Entertainment was forced to shut down its online gaming service, PlayStation Network (PSN), in 2011 after it was hacked and millions of users’ details were stolen. As the hack unfolded, users trying to access their PSN accounts were greeted with error messages saying that the system was either undergoing maintenance or suspended.
According to reports, approximately 77 million users had information stolen in the hack, representing one of the largest data security breaches in history. Among the stolen data were users’ names, addresses, email addresses, birthdates, usernames, passwords, logins and security questions. Many worried at the time that credit card information had also been stolen, and although Sony initially assured customers this was not the case, it later advised that credit card numbers may have been obtained.
Critics at the time complained that although credit card information was written cryptically, the rest of the users’ information was not. Therefore, once the hackers gained entry to the system, they could simply read a list of passwords, emails and other personal items written in English characters. Sony was also criticised for waiting a week before informing users of the hack, which was allegedly carried out by Anonymous splinter group LulzSec.
Sony Corporation should have used the 2011 breach as a catalyst for updating its cyber security – certainly a company the size of Sony did not have the excuse that it lacked sufficient resources to address cyber-security issues. However, the Japanese conglomerate instead focused on updating its terms of service so that users could not subsequently launch a class-action lawsuit against the company. The legality of such a move was questioned by commentators and the opportunity to extract some value from the breach was missed.
In late 2014, Sony’s PSN was hacked again, this time by the hacking group Lizard Squad. A hacker claiming to be a member of Lizard Squad told the BBC that the group’s motive was purely to expose cyber-security weaknesses.
How Sony should have responded
Given the earlier attack on PSN, should Sony have been in a position to repel any second attack because it had learned from previous mistakes? Chief Executive Officer of cyber-security firm Taia Global Jeffrey Carr cited the Sony case to The Hill as a reason for his support of a purposed law that would see companies obliged to disclose cyber-security information to the United States Security and Exchange Commission (SEC).
Carr said that despite the 2011 hack costing Sony a reported US$171 million, the company failed to disclose details to the SEC or significantly update its systems. In a similar fashion, Sony Pictures Entertainment is yet to disclose to the SEC the details of December’s hack, which saw the company lose a number of movies to online pirate websites before their cinema release dates.
But what could Sony Computer Entertainment, or any other division of Sony, have done following the 2011 hacks to prevent being attacked again in 2014? Clouding the issue is the fact that many of the details of how Sony was hacked the second time are not clear. However, there are certainly a number of steps that Sony should have taken.
The first thing companies should do when attacked by hackers is to find out how the attack occurred and how to ‘plug the hole’. When addressing this issue, one sure way to mitigate risk is to purchase the best cyber-security defence the company’s budget can afford. In the words of the Federal Communications Commission (FCC): ‘Keep clean machines: having the latest security software, web browser and operating system are the best defences against viruses, malware, and other online threats.’
However, purchasing the best defence is just the first step. The online world is not a static one, says the FCC: ‘Set antivirus software to run a scan after each update [and] install other updates as soon as they are available.’
Additional measures that companies can take which cost little or no money include requiring employees to change their passwords every three months and making sure that third-party vendors comply with online company policies – there have been plenty of recent examples of companies being hacked via third-party vendors that lacked the cyber-security capability of their larger partners.
Access to IT systems should be given on a need-to-know basis. No employee should be given access to all data. If an employee needs to be able to use one part of the system but not another, then do not grant access to the latter. Very few employees should be given authority to install new software, and a process should be in place to ensure that only necessary and safe software is added to a company’s system.
Being hacked for a second time can cause serious long-term damage to a company’s budget and reputation. Companies that do not learn the lessons of previous attacks, and do not proactively address any resulting concerns, can expect little sympathy from customers, the media or investors.
The discovery of a breach, whether it is related to data privacy, antitrust, anti-corruption or any other issue, is a prudent time for a company to conduct a thorough review and risk assessment of its compliance framework. Often, uncovering one breach can provide a valuable opportunity to not only tighten any gaps, but also identify whether there are any systemic control failures within the business.
The existence of improper conduct in one jurisdiction can sometimes lead to further investigations in other geographical regions where similar breaches are found to occur. Taking a proactive attitude to remediating any endemic problems or preventing future instances from occurring is viewed more favourably than dealing with issues in isolation. Compliance officers must instead always try to see the larger picture of ensuring that the compliance programme as a whole is running smoothly.
Insider may have helped Sony hackers
One theory that has gained momentum in the aftermath of the massive cyber attack on Sony Pictures Entertainment is that it may have been the work of a company insider. Industry commentators have said that, without the help of a mole, the hackers would not have been able to wreak the havoc that they did. And many have dismissed altogether the idea that the government of North Korea was the guilty party.
Cyber-security firm Norse said that it had cross-referenced leaked human-resource documents with online hacker chat rooms and narrowed the list of potential suspects down to just six people, according to the New York Post.
On the allegations blaming North Korea, Norse Senior Vice President Kurt Stammberger said, ‘When the FBI made this announcement, just a few days after the attack was made public, it raised eyebrows in the community because it’s hard to do that kind of an attribution that quickly – it’s almost unheard of.’
Meanwhile, former federal cybercrimes prosecutor Mark Rasch told the Huffington Post, ‘The government acted prematurely in announcing unequivocally that it was North Korea before the investigation was complete.’
A former Sony employee also supported the insider theory, saying, ‘If you were a full-time employee, the security they had in place wasn’t exactly tight. You could imagine somebody could have walked out of there with data.’
The FBI has maintained that North Korea was responsible for the hack.
Regardless of whether it was an insider, there are steps that Sony could have taken to prevent staff members from aiding hackers.
The FCC’s number one tip for preventing hacks is to train employees on security principles. It advises companies to ‘establish basic security practices and policies for employees’.
Educating employees will help them to understand the potential repercussions of aiding hackers, and make them think twice before marching out of the door with valuable information. And guidelines will help prevent an employee from helping hackers by accident, either as a result of lax security practices or oversight of red flags.
Secondly, making sure, where possible, that all staff members are content in their jobs lessens the chance of a disgruntled employee enacting revenge against the company. One way of doing this is embedding a vigorous whistleblowing programme that is easy to use. Managers should respond to complaints in a timely and fair fashion that ensures that employees feel as though their concerns are being addressed. Making sure that whistleblowers are protected from repercussions will encourage them to use internal systems before seeking outside help.