It appears that kicking the hornet’s nest worked out better for Lisbeth Salander than it has for Sony. The “hacker group” LulzSec has again embarrassed Sony by compromising SonyPictures.com and exposing user data for over one million users. Fortunately for Sony, the group did not have enough computer resources to download the whole database although it did take about 51,000 user records. Unfortunately for Sony, LulzSec has demonstrated once again how clueless Sony is about even rudimentary security. You can read LulzSec’s announcement on Pastebin here.
Consider this:
- The compromise was by an elementary SQL injection attack. How is this possible today? How is it possible especially for Sony who, one would think, would be on the alert after the PSN and subsequent disasters?
- The stolen data included passwords, email addresses, birthdates, and whatever opt-in data, such as telephone numbers, the users included.
- None of this data was encrypted.
All of this suggests that if Sony wants to sue and prosecute people for modding the PlayStation console, they better attend to their security first. Of course, it’s already too late for that. I wonder how many of those users who had their personal information exposed are already talking to lawyers. Sony is very likely to discover that those who live by the lawsuit, die by the lawsuit.