Sony data breach: 100m reasons to beef up security

To avoid large-scale data breaches, organisations must re-evaluate security controls to reduce fraud and protect individuals' data

The hacking of Sony's PlayStation Network and Online Entertainment service has potentially exposed more than 100 million users to fraud in one of the biggest data breaches to date.

Just a week after Sony admitted that personal details of 77 million PlayStation Network users had been accessed by hackers, the company has suspended the Sony Online Entertainment service and warned about 25 million users that their details may be at risk.

The Sony breaches follow several similar data breaches by online service suppliers such as and Lush, so what effect are they likely have on the online services industry?

The stolen information includes users' names, addresses, e-mail addresses, passwords (which could be the same for other accounts) and possibly even their credit card details (which Sony claims were encrypted).

"It is a big inconvenience to customers - they are going to have to change their passwords on other internet sites and closely monitor their bank statements for unusual activity. This will inevitably undermine customer confidence," says Mikko Hypponen, chief research officer at F-Secure.

Loss of customer confidence

"An incident this size is sure to have significant repercussions for Sony," says Ross Brewer, vice-president and managing director, international markets, LogRhythm.

Relations with existing customers have been damaged and its ability to attract new ones reduced, he says.

A OnePoll survey of 5,000 UK consumers in November 2010, commissioned by LogRhythm, found that 66% of UK customers try to avoid future interactions with organisations found to have lost confidential data, while 17% resolve never to deal with them again.

If online service providers fail to provide adequate assurances that users' personal details are safe, it could clearly have a significantly negative impact on their business, so what should online service providers be doing with regard to data protection?

Re-evaluate security controls

To avoid a repeat of such a large-scale data breach, consumer organisations must re-evaluate security controls to reduce fraud and protect individuals' data, says Peter Regent, director of online authentication at security firm Gemalto.

A one-time-password (OTP) approach, using tokens or smartcard devices, provides an additional security layer to usernames and passwords to secure online transactions, he says.

Some gaming companies already require customers to use OTP devices to securely access their online accounts and make transactions.

"OTP devices can easily be integrated into most gaming consoles, securing access to the gaming environment, account holder information and to ensure customer data does not fall into the wrong hands," says Regent.

A far more sophisticated security approach is a must to prevent networks from attack using just username and password credentials, he says.

According to Regent, a layered identity verification approach will ensure only authorised users gain network access. A smartcard solution encompassing certificate-based authentication and Public Key Infrastructure (PKI) certificates will enable only authorised employees to access sensitive information and will enable audit trails to be carried out.

This protects corporate information assets at a level similar to that which Chip and PIN cards provide for banking consumers when accessing cash from ATM machines, he says.

Manage risk

Cyber criminals are becoming increasingly sophisticated and no individual or corporation is immune to attack, but by integrating multi-layer authentication into security processes and infrastructures, consumer organisations and businesses will be better prepared for fraud prevention, says Regent.

Online service providers need to get independent experts to assess the security of their systems and make recommendations for improving security, says Randy Abrams, director of technical education at security firm ESET.

"Penetration testers should be hired to find security problems before the black hat hackers find them," he says.

However, Abrams says online service providers cannot prove that customer details are safe. In reality, he says, there is no 100% security, there is only risk management.

"Online service providers can provide information about what they do to secure consumer data, but I am not convinced that most consumers would understand what it means, and any company can say what they are doing, but it does not mean that they walk the talk," he says.

Neil Campbell, global general manager of security at Dimension Data says that from a technology point of view, organisations should continually monitor their IT infrastructure and the IT security industry for threats and new approaches to managing threats.

Raise security awareness

But in addition to deploying security technologies based on risk assessments, organisations have to recognise that people can be both the strongest and the weakest link when it comes to IT security, he says.

Organisations must continually invest in security awareness training, build strong and well managed security processes, and back up those processes with technology failsafes wherever possible, says Campbell.

"We will continue to suffer from data breaches, but our aim should be to reduce the frequency and impact of those breaches," he says.

Rob Warmack, EMEA director for Tripwire, says the only option for addressing the threat of cybercrime is to close the window of opportunity for network compromise.

"In a complex, dynamic IT environment, only those organisations that create the right security policies and processes, and then enforce policy with the right automated controls to increase visibility of suspicious activity, can reduce attack and better safeguard the business," he says.

Hypponen says bank systems also have a role to play in providing security and confidence for users of online serves.

"We especially like systems such as the one provided by Bank of America, where you can generate temporary credit card numbers for online use. Citibank and Discover offer the same or similar technology," he says.

Ash Patel, country manager for UK & Ireland at network security supplier Stonesoft, says the Sony data breach is yet more evidence that hackers are more focused, persistent and resourceful than ever before.

"Businesses need to be more diligent than ever in ensuring there are no holes in their defences but, after years of warnings, it cannot solely be that these large, well-resourced organisations do not have the right security products or strategy in place. We have to assume that hackers are finding new ways around existing defences," he says.

Share information

The security industry and user organisations need to work more closely together to identify and tackle new security threats, says Patel.

Rik Ferguson, director of security research at Trend Micro, says he would like to see further details from the companies in question on what exactly was breached and what is being done to ensure the same thing will not happen again.

"It is important for them and their customers to make sure measures are being put in place," he says.

If targeted companies such as Sony are more forthcoming with their advice and information on security breaches, and consumers become more proactive with how they manage their e-mail accounts, the threat of serious attacks should be lessened, says Ferguson.

There is always the chance that someone can get hold of your information without your knowledge, he says, but as long as you take control and make sure you are as secure as you can be, and websites are ensuring they have the correct measures in place, there is certainly less to worry about.

Proving Sony has learned some lessons in the face of strong user backlash, the company has undertaken to improve security systems and not to restore services until this is completed.

Sony claims it is initiating several measures that will "significantly enhance" all aspects of PlayStation Network's security and users' personal data, including moving its network infrastructure and datacentre to a more secure location.

While Sony appears to be doing all it can to win back the confidence of its users, why did it take a massive data breach to stir the company into action?

Surely it cannot be too difficult for IT security professionals to make a business case for state-of-the-art protection around customer data?

At least IT security professionals struggling to get executive-level support for data protection can now point to Sony to prove that there is a real and present threat.

Read more on IT risk management