On Thursday, Tim Schaaff, president of Sony Network Entertainment International, told a House Energy and Commerce Committee subcommittee hearing that “we believe the security we had was very, very strong and we were in good shape” prior to the breach of 100 million customer accounts, according to a report by the Boston Globe.
Perhaps in an attempt to make Schaaff eat those words, LulzSecurity announced triumphantly on Thursday that it had hacked into Sony’s network and obtained a million user names, passwords, email addresses, home addresses, dates of birth, as well as other confidential corporate information.
“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?”, the group said in a Pastebin post.
“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it”, the group added.
Sony said it was looking into the LulzSecurity claims, according to a Washington Post story.
Information security firms are throwing up their hands in dismay.
"What’s interesting about this latest Sony attack is that it is the hacking group, rather than Sony itself, who has disclosed the breach. This raises the question: did SonyPictures.com even know that its network had been compromised? Perhaps it did know, but decided not to disclose it. Either way, it will be a major worry to consumers who have entrusted the company with their personal information”, said Ross Brewer, vice president and managing director of international markets at LogRhythm.
"Sony needs to take drastic and immediate action to step up its IT defenses if it is ever going to restore consumer confidence in its services. At the moment, you can’t believe that anyone would happily hand over their password and date of birth to Sony for safe keeping”, Brewer added.
Commenting on the mode of LulzSecurity’s attack, Aziz Maakaroun, business development director at Outpost24, said that “what is particularly shocking here is that this hack utilized one of the oldest tricks in the book, an SQL injection vulnerability. Not only are SQL injections one of the most common and well known threats on the web, they are also one of the most easily protected against.”