New accusations about Sony's security procedures are being levied as the company braces for a third possible hack in the coming days.
Eugene Spafford, an information security professor at Purdue, accused Sony of being completely unprepared for the first two attacks during testimony before the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade earlier this week. The company, he said, was using outdated software on its servers, which allowed hackers to gain access.
"Presumably, [Sony is] large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data," said Spafford, who noted that his information came from other sources, not personal observations. "I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned."
If those accusations of lax security are confirmed, it could shift consumer sentiment against Sony—and may well result in some executive shuffles.
"If [Sony] can demonstrate 'We had five locks on the front door, but these guys went up against it with a battering ram,' it won't be seen as their fault," says Michael Pachter, an analyst with Wedbush Securities. "But if they were [unprepared], then yes, there should be a sacrificial lamb."
Meanwhile, CNET reports a group of hackers says it is planning another wave of attacks against Sony for the company's missteps in its handling of the PlayStation NetworkSecurity breach. The group reportedly claims it has access to some Sony servers and plans to publicize some of the personal information at its disposal.
(It is, however, worth noting that sophisticated hackers, like the ones who stole personal information for over 100 million accounts from Sony, rarely announce their plans in this fashion. The group contacting CNET may well be coattail riders, hoping for a little notoriety in the hacker community—and may have no plans to attack at all.)
Sony first became aware of the data breach, one of the largest in history, two-and-a-half weeks ago. The PlayStation Network servers were taken offline and the company began the process of rebuilding them to make them more secure. As of Friday morning, they remain offline, despite the company's vow Sunday morningto have them back up and running this week.
Sony says the network and security teams are in the "final stages" of internal testing of the new system right now.
Meanwhile, the inevitable legal consequences have already started. In the Northern District of California, a lawsuit has been filed on behalf of Kristopher Johns, 36, of Birmingham, Ala., saying Sony did not take "reasonable care to protect, encrypt, and secure the private and sensitive data of its users." The suit seeks monetary compensation and free credit card monitoring. It is seeking class action status.
And New York's attorney general Eric Schneiderman on Tuesday issued a subpoena to Sony, seeking information about how it protects customers’ personal information. Similar investigations are underway in Great Britain, Australia and Hong Kong.
Sony is in full damage control mode. The company says it still has not determined who is responsible for the hacks, but pointed an accusatory fingerat the collective group of hackers who go by 'Anonymous' in a letter to the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade earlier this week.
That group once again denied responsibility Thursday via a press release, saying it has never been known to steal credit card data.
Sony further announced Thursday that it plans to offer 12 months of identity theft protection to all customers free of charge. U.S. customers will have the opportunity to sign up with Debix's "AllClear ID" protection, which offers ongoing surveillance and insurance of up to $1 million for fees, lost wages and fraud losses tied to identity theft.
And, after a long, heavily criticized silence on the matter, Sony CEO finally addressed the issue in an open letter, apologizing to the company's customers.
"As a company we—and I—apologize for the inconvenience and concern caused by this attack," he wrote. "I know some believe we should have notified our customers earlier than we did. It’s a fair question. … I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had—or had not—been taken."