The data breach affecting Sony Online Entertainment's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users. Thomas Peter/Reuters
Cybersecurity specialists are asking pointed questions about the way Sony manages customers' sensitive information, based on new details about its massive data breach.
Chester Wisniewski, a Vancouver-based senior security advisor with the computer security firm Sophos, said Tuesday that he was shocked when Sony disclosed Monday that an "outdated" 2007 database of credit and debit card data was among the information that may have been stolen from players of the EverQuest duology, Free Realms, and other massively multiplayer online games in the company's Sony Entertainment Online division. The data breach affecting that division's 24.6 million accounts is linked to a previously announced cyberattack on Sony's PlayStation Network and Qriocity entertainment service, which affected the personal information of more than 77 million users.
Sony said there was no evidence its main credit card database for Sony Entertainment Online, kept in a "completely separate and secured environment," was compromised.
'If the credit card numbers are no longer valid, then why is Sony still keeping them?'— Avner Levin, Ryerson University
"So you're going, 'Oh, the main database was well protected — this was just an old one that was laying around,'" Wisniewksi said. "Why is decommissioned personal information, and especially financial information, just on the network?"
Sony made no mention of whether the database, which affects customers outside the U.S., was encrypted, implying that it was not, Wisniewski suggested.
Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University in Toronto questioned why the database exists at all. "If the credit card numbers are no longer valid, then why is Sony still keeping them?" he asked. He said some credit cards in the database may not have expired yet. For cards that have expired, cybercriminals may be willing to find out their new expiry dates through trial and error: "It's not that difficult and they could get lucky." The database also contained direct debit records listing bank account numbers of more than 10,000 customers in Germany, Austria, Netherlands and Spain.
"Whether Sony's bad practices are an act of hubris or simply gross incompetence is hard to discern," Wisniewski wrote on Sophos's Naked Security blog Tuesday. "It is just unfortunate that Sony had not taken a few preventative measures to be sure our information was safe." Lack of encryption questioned
In an interview with CBC News, he noted that Sony had previously disclosed that its PlayStation Network credit card database was encrypted, but other personal information was not.
What is hashing?
Hashing is a method commonly used to protect passwords. The technique involves using a cryptographic algorithm to automatically generate a string of characters from a given password. That string of characters – not the password itself - is stored in a database by companies like Sony. Each time a user is asked for his or her password, the algorithm is applied and the string of characters is re-generated. It is then compared to the string of characters in the database.
"If you've got the technology to be able to encrypt my credit card, why wouldn't you encrypt all of my personally identifiable information?" Sony clarified on its PlayStation blog Monday that user passwords were protected using a method called hashing, which isn't strictly encryption, but makes use of a cryptographic algorithm.
Wisniewski said that may or may not do a good job of protecting user passwords depending on the type of hashing used. He likened it to a lock on a door: "Did you put in a deadbolt or just a cheap little doorknob you buy at Canadian Tire?" He suggested the passwords are some of the most valuable information stolen, as many people use the same passwords for multiple accounts, including email and Facebook. Those accounts can in turn be used to retrieve or change other passwords.
Wisniewski said the ultimate damage suffered by customers depends on who launched the cyberattack against Sony. The attackers may be politically motivated and simply wanted to make Sony look bad as revenge for alleged wrongs against hackers in the past. But if they are criminals trying to make a profit, they may sell the data in parcels to other criminals all over the world for the purposes of committing fraud or other crimes. "Either way, Sony's already taken their lumps," Wisniewski said. "Let's hope that their customers don't have to pay the price as well."