Sony is continuing to face substantial security problems. The company, which had to apologize for an April security breach of millions of its Playstation customers’ data and then a later security breach at its Sony Online Entertainment division. Then there were reports that there were yet more data security breaches in Sony’s systems in Greece, Thailand and Indonesia. And then reports that Sony has to shut down Web sites in Canada, as well.
Now, the Associated Press reports on another major security breach of Sony systems:
Another massive data breach at Sony has left hackers exulting, customers steaming and security experts questioning why basic fixes haven’t been made to the company’s stricken cybersecurity program.
Hackers say they managed to steal a massive trove of personal information from Sony Pictures’ website using a basic technique which they claim shows how poorly the company guards its users’ secrets. Security experts agreed Friday, saying that the company’s security was bypassed by a well-known attack method by which rogue commands are used to extract sensitive data from poorly-constructed websites. […]
Culver City, California-based Sony Pictures has so far declined to comment beyond saying that it is looking into the reported attack — which saw many users’ names, home addresses, phone numbers, emails, and passwords posted on the Web.
It wasn’t clear how many people were affected. The hackers, who call themselves Lulz Security — a reference to the Internetspeak for “laugh out loud”_ boasted of compromising more than 1 million users’ personal information — although it said that a lack of resources meant it could only leak a selection on the Web. Their claim could not be independently verified, but several people whose details were posted online confirmed their identities to The Associated Press. […]
John Bumgarner, the chief technology officer for the U.S. Cyber Consequences Unit — a research group devoted to monitoring Internet threats — was emphatic when asked whether users’ passwords could be left unencrypted.
“Never, never, never,” he said. “Passwords should always be hashed. Some kind of encryption should be used.”