June 3, 2011

Sony Falls Victim To Another Large Data Breach

Entertainment giant Sony has been slammed again with a second data breach, according to numerous media reports.

Sony was still attempting to restore its image from a similar hacking in April when it reported the loss of millions of credit card numbers from its PlayStation Network.

A loose-knit "hacktivist" group known as Anonymous allegedly began focused attacks on Sony's online services in April in retribution for its legal action against PlayStation 3 owners who cracked the game console software.

Anonymous acknowledged carrying out distributed denial of service (DDoS) attacks but denied involvement in any data theft or the latest attack by the group calling itself Lulz Security, or LulzSec, reports the AFP news agency.

LulzSec announced that they pulled off what they described as an elementary attack on Sony Pictures to highlight Sony's "disgraceful" security. "Every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it," LulzSec said in a statement. "They were asking for it."

Sony Pictures, a subsidiary of Sony Corporation of America, said Thursday it is aware of the LulzSec statement. "We are looking into these claims," said Jim Kennedy, executive vice president of global communications for Sony Pictures Entertainment.

LulzSec claims attacks on PBS television and Fox.com, saying it hacked servers that run Sony Pictures Entertainment websites. It published the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony.

"From a single injection, we accessed EVERYTHING," the hacking group said in a statement. "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Sony has been under increased scrutiny to improve its online security since hackers accessed personal information on 77 million PlayStation Network and Qriocity accounts earlier this year, Reuters is reporting. Nobody has claimed responsibility for the April attack.

The Associated Press (AP) called a number listed by LulzSec as belonging to 84-year-old Mary Tanning, a resident of Minnesota. Tanning picked up the phone, and confirmed the rest of the details listed by LulzSec, including her password, which she said she was changing.

"I don't panic," she told the AP, explaining that she was very seldom online and wasn't wealthy. "There's nothing that they can pick out of me," she joked.

Several other people contacted by AP confirmed that their passwords had been published online. Many were angry and distressed. "If this is so, I'm very upset," said Elizabeth Smith, from Tucson, Arizona. "I'm very disappointed that Sony would not protect things like that."

Like several others contacted by the AP, Smith said she often entered online sweepstakes, including ones she described as being affiliated with Sony. Neither she nor anyone else reached over the phone said they had been contacted by Sony about the apparent breach.

Member of LulzSec have not been identified, and the group did not immediately reply to emails sent to their website's administrative and technical accounts or to a Twitter message posted to the web late Thursday. The group's website was only registered on Wednesday, according to an internet records search. The site's registrant is listed as being based in the Bahamas.

LulzSec recently claimed responsibility for hacking the website of the PBS television network to post a fake story in protest of a recent "Frontline" investigative news program on WikiLeaks. For the past two days, the group has been mocking Sony via Twitter and alluding to a hacking operation.

Twitter posts allegedly from LulzSec at times chastise "silly Sony" and "You Sony morons," saying "everything we have will be published in multiple ways to ensure maximum embarrassment and exposure for (Sony) and their security flaws."


On the Net: