At a press conference at the Sony headquarters in Tokyo, Sony Computer Entertainment president, Kazuo Hirai, and two other executives bow to apologise for the massive data theft. Photograph: AFP/Getty Images
News that Sony has brought in external investigators after the personal information of over 100 million Sony online gamers was compromised in hacker attacks, highlights a sombre reality: not even one of the world’s most sophisticated technology companies can outwit the hackers in 2011.
Online gamers’ disappointment at being denied access to Sony’s PlayStation Network and Qriocity service while the hacks were investigated – robbing them of the privilege of being able to blast each other to bits in cyberspace – quickly turned to anger as Sony revealed just what sort of information the hackers are thought to have gained access to. As Sony put it:
"We believe that an unauthorized person has obtained the following information that you provided: name, address (city, state/province, zip or postal code), country, email address, birthdate, PlayStation Network/Qriocity passwords and login and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence that credit card data was taken at this time, we cannot rule out the possibility."
At least one law suit has already been launched in the US by a PSN user who claims Sony did not do enough to protect the private data of its customers, while the attorney generals for four US states have begun looking into the attack.
Here in the UK the Information Commissioner Christopher Graham appears to be taking a strong stance for a change. He told BBC Radio 4’s You and Yours programme it looked like, "a very significant breach of data protection law", though he will only be able to hit Sony with his potential fines of up to £500,000 if at least some of the compromised PSN data was stored in the UK.
Even then, while fines are all well and good, locked stable doors and bolting horses come to mind. Fining Sony will do nothing to reduce the risk of identity theft or fraud now faced by users of the PSN or Qriocity services, who Sony has kindly suggested should "remain vigilant to review your account statements and to monitor your credit or similar types of reports".
Identity theft is a real and growing problem. According to CIFAS, the UK’s Fraud Prevention Service, identity fraud increased by almost 10 per cent in the first nine months of 2010, compared with the same period in 2009. The number of victims of impersonation rose by 18.4 per cent.
It’s easy to blame corporations like Sony for a lack of investment in adequate security measures. But the hack of servers run by the security firm RSA in March show just how capable the bad guys – the hackers – are today.
RSA is not just a security specialist. Its authentication technology is specifically geared towards keeping the bad guys out of corporate networks, yet it still had to own up to a serious breach of its defences, that could have potentially compromised the security of authentication systems used by 40 million employees to access sensitive networks: both corporate and government.
UK government has by no means an unblemished security record. In November 2007 two disks holding the personal details of all families in the UK with a child under 16 went missing. The Child Benefit data on them included name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people. Then Chancellor Alistair Darling said there was no evidence the data had gone to criminals, but urged people to monitor their bank accounts for unusual activity.
In September 2008 the Insolvency Service said the names, addresses and bank details of up to 400 directors of 122 firms were lost when four laptops were stolen. That same month the Service Personnel and Veterans Agency lost three USB portable hard drives with details of 50,500 staff. A month later the Ministry of Defence said a hard drive being held by a contractor, containing 1.7 million records, was missing.
Insider threats and good old-fashioned carelessness are nothing new, and won’t stop until people stop being human. Encryption and data loss prevention (DLP) technologies have come a long way but there’s no such thing as ‘100 per cent secure’, and no technology in the world can prevent a malicious insider with the right level of access privileges from helping themselves to a little sensitive data.
But the Sony and RSA hacks are if anything more worrying than a lost or stolen memory stick or laptop: these are the ominous signs that the bad guys, increasingly it seems, are outsmarting what should be some of the most secure defences. As Andy Cordial, managing director of secure storage systems firm Origin Storage puts it, "There have been hacks of several corporates in recent weeks. Regardless of what caused these incursions, it is now clear that the database security systems in active use on both sides of the Atlantic are no longer sufficient."
Or to put it another way, right now the bad guys are winning.
Follow this author on twitter: www.twitter.com/jasonstamper