Sony has been hacked …. again. This time it is a group of hackers known as LulzSecurity and they’re declaring bragging rights for the hack as well as claiming they’ve stolen 1 million user accounts using an easy exploit against SonyPictures.com according to an article on ZDNet.
This is the fifth blog I’ve written about Sony’s data breaches in six weeks, and I would have quit by now out of sheer monotony except for the fact that their actions (or lack of actions) to remedy the situation continue to provide sobering insight into how consumer data is at the mercy of poor security measures by large companies (in medium and small companies it’s even worse), and what we’d better be doing about it. My previous posts on the Sony drama are linked at the bottom of this blog.
The sheer number of times Sony has been hacked in the last few weeks appears to provide three clear lessons:
- Sony still hasn’t taken security seriously. Yesterday Sony testified before a House Energy and Commerce subcommittee meeting saying they had tight security before they lost any consumer data. Yet according to the LulzSecurity hackers, not only did they use a very old and primitive exploit that Sony should never have left vulnerable, there was no encryptionon the data they accessed – Sony had it stored in plain text just waiting to be copied. Your Passwords were in plain text. Your address was in plain text. Your date of birth was in plain text. AARGH! The hackers ask the public this question – “Why do you put such faith in a company that allows itself to become open to these simple attacks?” It’s a darn good question.
If your information is stored by Sony it’s a question you should consider how to answer. A) I don’t care if all my information is ripped off multiple times. B) I’m too lazy to do anything about it. C) I’m a fatalist; the crooks already have it, so how can it hurt me anymore. D) Damn good question, I have no faith in Sony’s ability or diligence in protecting my data, and I’m demanding they wipe my record.
Another good question is how does Sony define “tight security”? It’s hard to reconcile the statement made yesterday on the Hill with a statement made by Kazuo Hirai, chief of Sony Corp.’s PlayStation video game unit, to the press on May 1st after the first incident. In that interview he said “Sony has added software monitoring and enhanced data protection and encryption as new security measures”. If they quickly found where they needed to add security measures, and if hackers got past their security measures, exactly how tight were they?
- Hackers and criminal organizations are dogged. To prevent a hack, companies must have exceptional security measures in place, test them frequently, and stay on the front end of new security developments. Back in the good old days the goal was to embarrass Microsoft and exploit companies running MSFT technologies. Of course back then, Microsoft was the biggest game in town. MSFT is still a target, but the company learned to take securing consumers’ information very seriously. Given recent news, one could wish that Apple, Sony, Lockheed, Google, Epsilon, and other companies, would do the same. If these companies’ security is tight, it needs to be tighter. If these companies can go in after-the-fact and find places that needed additional security, they should have found these through rigorous testing prior to the breaches.
- Leaving security choices up to companies puts us at real risk. As consumers, we can’t see how well our data is protected by companies, organizations, even government bodies; we only have their word for how ‘seriously’ they protect the data. That ‘trust us’ position is just not good enough as a quick scan of breaches on the Privacy Rights Clearinghouse will tell you. A whopping 533,686,975 personal data records have been reported compromised, and this is far short of the actual number of breaches. With 309 million U.S. citizens, we’re nearing an average of two breaches apiece.
The alternative to allowing companies to set their own security and breach notification standards is to have regulated standards. Generally I’m in favor of industries managing themselves, but that philosophy just isn’t working. Interestingly, both Sony and Epsilon said they wanted regulations when they agreed in yesterday’s hearings that a uniform federal law governing disclosure would improve responses to future breaches. What a sad statement. Basically it says to the government – and all of us consumers – that if you don’t make us [companies] do a better job, we [companies] won’t do a better job.
Clear lack of corporate motivation to improve security without regulatory pressure
The comments by Sony and Epsilon’s representatives in the House hearings aren’t unique. The consulting firm Enterprise Strategy Group asked 308 IT professionals in large companies what factors motivated their decisions to improve data security. Regulatory compliance topped the list, and this very interesting table was created to illustrate the factors that went into corporate decision making.
What this lays clear is that a large piece of the security problem is in corporate leadership, where budget choices consistently short-change security departments. There is typically a mental distinction between what are considered revenue generating departments, and those that are cost generating - the ones that cut into the profits. Company management teams’ interests always tend to prefer funding departments that will generate more revenue and constrict funding to departments that eat up revenue.
In tough economic times, this disparity often becomes even sharper. This creates the potential for an environment where development teams on revenue generating services are creating ever more cool services for ever more consumers, while the security teams, who were barely holding things together on their shoe string budgets, fall further behind. And little holes become bigger holes, security training and security auditing lag, funds for external parties to help test security measures is scant, and corporate leadership turns a blind eye to the mounting risks.
Knowing this industry, the security departments in the breached companies (and within breached organizations, schools, and govt. bodies) warned their management teams repeatedly that they were understaffed, under-trained, and under-funded for upgrades, innovations, and defenses. But their warnings fell on deaf ears.
These management teams gambled our safety against greater profits, and guess what? Not only did we lose a bet we didn’t agree to, the companies still made profits! This combination is hardly a motivator for behavioral changes.
Several reports have talked about the “staggering sum” Sony has had to pay for their first two data breaches. If the news is accurate, the cost of the first to data breaches is estimated to be $170 million. While $170 million sounds like a lot of money, to a global company like Sony with an annual revenue of 77.5 billion last year, it’s just an uncomfortable drop in the bucket. When divided by the number of consumers whose personal records were compromised in those first two breaches (estimated to be around 100 million subscribers) that’s just $1.70 per user. Compare that to the $49.99 they charge for an annual PlayStation Plus subscriber. People should demand a full refund for the faulty product and free identity theft protection.
Of course we’re just in round one. There is at least one class action lawsuit underway, only time will show how many customers they lose over the ordeal and the impact to their brand, or the fully burdened cost after everything shakes out. The Ponemon Institute has estimated that the final cost to Sony may be closer to $24 billion, or nearly a third of the company’s annual revenue. That size dent would be a motivator. Click to see an infographic based on the Ponemon Institute’s estimate.
Additional insight into breach costs and projections is provided through the Ponemon Institute’s 2010 U.S. Cost of a Data Breach study. Two conclusions nearly glued my eyebrows to my hairline:
“Rapid response to data breach costs more. For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent more.” While I trust the research data’s conclusion that this is true for companies, it isn’t true for consumers. The sooner consumers know to take precautions; the less the incident may cost them. This data begs the question of whether cost savings were the motivation behind Sony’s delays in advising consumers.
“The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it… [but] most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.” If this belief is correct, we’re screwed on three levels. 1) It means companies expect the status quo of constant breaches to be the norm, and they aren’t planning on implementing the major changes needed to tighten security and protect consumers. 2) It means we as consumers have failed to make the penalties for exposing our data painful enough for companies to change their practices or be run out of business. 3) It means our safety and privacy online and offline will be utterly compromised.
Never give up demanding your data be protected, or it won’t be protected
Let your elected officials hear your dissatisfaction along with a request for stronger requirements on companies holding consumer data.
National security standards need to be strengthened to:
- Significantly increase penalties to companies with data breaches that failed to provide strong security protections. It has to HURT to compromise consumer data or it will become just a ‘cost of doing business’.
- Increase the requirements (and penalties) regarding the speed of notification to consumers affected by data breaches – we can’t have them dragging their heels to save money while the consumer picks up a greater burden.
- Establish security standards for companies and test these as (or more) vigorously as we test car safety, food safety, and other products for safety.
- Increase assistance to consumers affected by data breaches – and make sure the companies are the ones footing the bill.
If your data has been compromised Take Action NOW
- Be diligent in monitoring your financial and medical identities. The information accessed by these hackers has significant value and criminals will exploit any information they acquire – not just once, but many times over. Identity theft doesn’t have an expiration date. Even if you change your credit card information and password, plenty of information is either permanent or fairly stable – like your name, birthdate, address, employer, bank, and so on. This information can be used and resold many times over for many years.
- Learn how to protect your identity, get free credit reports, freeze your credit, and more in my blogs:
- Understand the scope of the ID theft problem. The Privacy Rights Clearinghouse and the FTC have excellent materials to help you.
- Be wary of allowing additional information about yourself be placed online with Sony or any company before they’ve proven they have strong security standards in place.
- Demand better security and accountability of the companies, institutions, and government agencies holding your records.
- Internal security measures need to be in place to:
- Block dishonest employees from making off with records
- Prohibit employees to take records away from the secure facility – in laptops, flash drives, etc. that can be stolen, “lost” or otherwise compromised.
- Train employees in security measures – and continually test that these are upheld
- Ensure all sensitive information is encrypted rendering it useless to those without the necessary key
- Increase defenses against hackers, with stronger security measures and multi-tiered layers
- Require 3rd party probing to test defenses and run constant monitoring for intrusions
- Internal security measures need to be in place to:
- Next, learn to identify scams. Scams have rapidly evolved. Though your junk mail folder captures the completely obvious and amazingly stupid scams, the ones that manage to fool the spam filters are likely to also fool you – particularly when your own breached information is being used to trick you. To be safe you need to consistently follow the 14 Steps to Avoiding Scams.
I’m an internet fan through and through, and a capitalist that wants to see companies do well, but I’m angry. If the tradeoff is between corporate revenue and consumer protections, I’m on the consumer side every time. I’m sick and tired of companies failing to take adequate measures to protect consumer information because of their own short sighted ‘cost savings’ (greed), through carelessness, or plain old laziness.
I’m angry that our privacy and security have been compromised and that companies really don’t care. And I’m REALLY ANGRY that the privacy advocates and people in the data protection community are betting that consumers will simply give up on our demands for security and will just roll over and play dead.
I’m not rolling over.
Previous blog posts on Sony Data Breaches:
- Sony’s Bad News Isn’t Over – Hackers Have Made Two More Data Breaches
- Sony: The Financial Impact of the Gaming Services Hack
- Oops! Sony did it Again….Another 24.6 Million Accounts Exposed
- Sony’s Security Breach, their Delay in Reporting, and their “User’s it’s Your Problem” Stance Deserves close scrutiny