What the Latest Data Security Breaches Really Mean
If you haven't yet checked to see if your email address and password are now public knowledge, it would be a good idea to take a couple of minutes to make sure your information wasn't compromised in the past few days. One thing is certain: Seldom have events supplied a more compelling argument for following basic security measures.
Here's a quick review. The PlayStation Network intrusion, which started on April 17, resulted in the exposure of 77 million customer records (Network World has a complex timeline of events). The Sony Online Entertainment breach, which started on May 2, led to 25 million customer records being exposed, including 12,700 non-U.S. credit card numbers. On May 22, Sony BMG Greece was hacked, with 8,500 email addresses and hashed passwords retrieved.
Then, on May 23, LulzSec -- an organization few people had ever heard of, to that point -- stole data from Sony Music Japan's site. According to Sophos, the data "does not contain names, passwords or other personally identifiable information." On May 24, Sony Ericsson Canada lost 2,00 email addresses and passwords. The data was posted on pastebin, but has been pulled. If you were one of the compromised individuals, Sony has already notified you.
Then came the big load. On June 2, LulzSec claims it stole more than 1 million user names, passwords, email addresses, dates of birth, and more, from the site SonyPictures.com. Apparently, incredibly, none of the information was encrypted -- it's all in plain text. There's a torrent floating around with 51,000 entries selected from the compromised million. Lulz posted a similarly abbreviated list on pastebin, but it's also been removed. Troy Hunt has details about the torrent on his blog, including a list of the most common passwords.
The full list isn't available, but a small subset can be found in three locations. If you've ever logged on to the Sony Pictures website, you should expect that the email address and password that you used on that site is now widely available. If you've used that password anywhere else, you need to go to all of those locations and change it.
But wait. That isn't all.
A group calling itself the Pakistan Cyber Army claims it has stolen 40,000 user names from the Acer Europe database, including customer names, physical addresses, phone numbers, and email addresses but not, as best I can tell, passwords. Hacker News has posted some fuzzy screenshots of compromised customer records. The group that took the data apparently found the logon name and password for the server posted in a three-year-old tech support message, buried in a Hot Fix forum.
Right now would be a good time to ask your users if they've ever logged on to a Sony site -- any Sony site. If they have, it would be a very good idea for them to log on again right now and change their passwords into something unique.
It's also a good excuse to review all of those warnings you've been giving them over the years, particularly the warnings that start by saying you shouldn't reuse passwords.
The press is abuzz with tales of "sophisticated" attacks and widespread cyber mayhem. I haven't seen any evidence that these attacks took anything more sophisticated than a straightforward SQL injection and some well-directed spear phishing. What amazes me is the number of different vulnerable databases that have been discovered lately, and the absolutely unconscionable concept that sensitive data stored in outward-facing databases isn't encrypted. LulzSec claims it has hacked Sony six times in the past two weeks. If your company has any outward-facing data at all, this would be a very good time to review the steps that are being taken to protect it.
This story, "What the latest data security breaches really mean," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.