Sony was using outdated software on its servers when its PlayStation and Online Entertainment networks were infiltrated by hackers in a data breach affecting over 100m users' personal data, a US House of Representatives hearing has been told.
Sony knew about the vulnerability before the security breaches, Gene Spafford, professor in information security at Purdue University, told an Energy and Commerce Subcommittee hearing into the threat of data theft.
Gene Spafford, who chairs the US Public Policy Council of the Association For Computing Machinery, said security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software - which was unpatched and had no firewall installed - according to US reports.
The issue was reported in an open forum, monitored by Sony employees, two or three months before the security breaches, Spafford said.
Sony declined to attend the hearing, but said in a letter that it has added automated software monitoring and enhanced data security and encryption to its systems, in the wake of the recent security breaches.
In written testimony, Spafford said organisations continue to run outmoded, flawed software, fail to follow some basic good practices of security and privacy, and often have insufficient training or support.
The most commonly cited reason for these failings is cost, he says.
"The cost of providing better security and privacy protection is viewed as overhead that is not recovered in increased revenue, and it is usually one of the first things trimmed in budget cuts," says Spafford.
Running outdated software and unpatched operating systems exposes citizens to risks and consequences whose cost a company does not bear, says Spafford. Because of this, companies do not have an immediate economic incentive to make the investment needed to prevent breaches, he says.
However, he says, there is still a risk of real loss if a breach occurs, with the cost to a company per record averaging $214.