I wonder if that is a coincidence that Sony Corporation of America is looking for a Senior Network Systems Administrator considering an Associated Press article reported that victims of the latest Sony Pictures data breach have confirmed that the information that the blackhat group “Lulz Security” leaked was real information that did come from Sony which means that that Sony Pictures engaged in the extraordinarily negligent practice of storing user passwords in plain text on a web-facing server. The increasing number of successful attacks against Sony properties tends to indicate that Sony is not currently up to the task of having a web presence that collects and stores user data.
While it isn’t clear if Sony lacks the required security talent, management isn’t listening to the talent they do have, or some other medley of catastrophic systemic failures is the problem, the global Sony network is looking to be more porous than a pumice stone. Clearly Sony needs a strong and empowered global security leader to coordinate an overhaul and ongoing audit of how Sony websites manage and secure confidential consumer information.
The AP article also quotes Lulz members as telling victims of the hacker group to blame Sony for the leaked data. Obviously Sony is to blame for not securing the data, but unless Sony has mind control over the hackers, the choice to publish the data lies exclusively with Lulz. Apparently Nintendo, also reportedly hacked by Lulz, lacks the mind control expertise that Sony has or else they did a better job of securing their data as Lulz posted no user data from the Nintendo hack.
In the past, Microsoft has offered bounties for information leading to the arrest and conviction of cybercriminals and has enjoyed some success. Sony may want to refocus their legal efforts on apprehending the criminals who attack their users instead of suing hackers who crack their game consoles. A widely publicized and significant bounty for the apprehension of the attackers might convince some users that Sony is even paying attention at all. So far it appears that Sony is far more interested in prosecuting George Hotz than in apprehending the attackers who published the relatively unguarded user data Sony had been entrusted to protect.
Director of Technical Education
Cyber Threat Analysis Center
ESET North America
Author ESET Research, ESET