Sony Hack Caps Recent String of Security Horror Shows
By Ian Paul
Sony’s massive security breach impacting as many as 100 million of its customers is just the latest in a string of corporate security gaffs in recent months that have left customers vulnerable to financial fraud and identity theft. Lax security has impacted a large number of corporations, institutions, and even computer security firms recently. Here’s a breakdown of some of the more sensational (and sensationally stupid) security breaches.
Sony isn’t the only company in recent weeks to end up with digital egg on its face.
Epsilon’s Greek Tragedy
Epsilon, the world’s largest permission-based e-mail marketer, endured an attack in late March that exposed names and e-mail addresses saved in the customer databases of many well known companies such as JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citigroup, Ritz-Carlton Rewards, Brookstone, Walgreens, The College Board, and the Home Shopping Network (HSN). Epsilon has more than 2000 corporate customers and is responsible for more than 40 billion marketing e-mails every year on their behalf.
The Oak Ridge National Laboratory was hacked in late April. The federal lab, funded by the U.S. Department of Energy, works on a variety of projects including energy matters and, not so reassuringly, computer security. Hackers were only able to steal a “few megabytes” of data before the lab shut down Internet access to employees to deal with the hack. The lab said the hack was the result of what security experts call an “advanced persistent threat” (APT). Which is a fancy way of saying several employees opened an e-mail and clicked on a malicious link. Oak Ridge was also hacked in 2007, and withstood an earlier attack in 2000.
An Oopsie the Size of Texas
In late March, the State of Texas Comptroller’s Office mistakenly exposed the social security numbers, names, birth dates, driver’s license numbers and addresses of 3.5 million people. The private information came from members of the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS). The government office said the unencrypted data sat on a publicly available server for nearly a year by mistake. Oops.
RSA (Not So) SecurID
In March, security firm EMC notified users that one of its companies, RSA, was the target of an “extremely sophisticated cyber attack” referring to it as an APT. The attack had the potential to compromise the security of RSA’s two-factor authentication product, SecurID. But the company said the attackers would need additional information from RSA customers to carry out a widespread attack. It was later reported that RSA’s “extremely sophisticated attack” consisted of someone opening a malicious Excel document containing a zero day exploit of Adobe Flash.
One security screw up straight out of left field comes courtesy of the New York Yankees. In late April it turns out a customer service representative for the Bronx Bombers accidentally sent out the personal details of 18,000 season ticket holders to a newsletter mailing list. The details were reportedly attached to the bulk e-mail as a spreadsheet, which begs the question, “how does a lowly customer service representative have the power to access or compile a spreadsheet filled with customer data?” And, more importantly, would this have happened to the Red Sox?
Sorry State of SonySecurity
Sony recently revealed that its Sony Online Entertainment network, used for massively multiplayer online games such as EverQuest and Star Wars Galaxies, was the victim of an online intrusion. Making matters worse is the news that as many as 12,700 credit card numbers may have been stolen in the second Sony break-in. The SOE hack follows the highly publicized shut down of Sony’s PlayStation Network and Qriocity music service after the company detected an “external intrusion.”