Today, June 8th Sony Pictures published a consumer alert on their site http://www.sonypictures.com/corp/consumeralert.html. The alert is about the data breach that was not discovered by Sony, but rather shoved in Sony’s face on June 2nd and specific details were confirmed by the Associated Press on June 3rd.

Despite the fact that it was confirmed that actual user email addresses and unencrypted passwords were compromised, the alert says “Sony Pictures Entertainment (SPE) has provided notice to the approximately 37,500 people who may have had some personally identifiable information stolen during the recent attack on sonypictures.com.”

People who *may* have had personally identifiable information stolen? Yeah, those who provided fake email addresses and passwords are ok, but many users obviously DID have personally identifiable information stolen as well as their passwords. This is not a smart time for Sony to be couching their language or trying to minimize the damage of the breach.

Sony does claim that they will be providing a complimentary ID theft protection service, but the details of the offering will understandably be sent to the victims separately.

If the various Sony properties had better communications you would expect that it would not have taken six days to get the consumer alert posted. Clearly Sony has a significant challenge in front of them in figuring out how to secure their properties and get incident response and alerting completed in a timely manner.

Man I hope this is the last time I have to mention Sony in a blog for a long time!

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America