Sony Pictures falls victim to major data breach
Hacking group LulzSec claims it has accessed personal data on more than 1 million people
Computerworld - LulzSec, a hacking group that recently made news for hacking into PBS, claimed today that it has broken into several Sony Pictures websites and accessed unencrypted personal information on over 1 million people.
In a statement released Thursday, the group claimed that it had also managed to compromise all "admin details," including administrator passwords, as well as 75,000 "music codes" and 3.5 million "music coupons" from Sony networks and websites.
The group has publicly posted a full list of compromised sites, along with links to documents containing samples of what it claimed was material stolen from Sony.
The compromised databases included one that appeared to contain information belonging to people who participated in a promotional campaign involving Sony Pictures and AutoTrader.com, as well as another involving a Sony-sponsored Summer of Restless Beauty campaign.
Also compromised in the break-in, according to LulzSec, was a Sony music codes database, a music coupons database, and databases from Sony BMG Belgium & Netherlands.
The compromised databases contained "varied assortments of Sony user and staffer information," the group said.
"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec said. "From a single injection, we accessed EVERYTHING."
"What's worse is that every bit of data we took wasn't encrypted," the group claims. "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it."
LulzSec said that it had copied and published only a relatively small sample of the information it had managed to access because it did not have the resources to download everything. The group said that in theory it could have "taken every last bit of information," but that would have taken weeks.
The group posted a link to the SQL injection vulnerability it had exploited and invited anyone to verify it personally. "You may even want to plunder those 3.5 million coupons while you can."
In a brief comment sent by email, Jim Kennedy, Executive Vice President of Global Communications for Sony Pictures Entertainment, said the company is looking into the claims made by LulzSec, but offered no other comment.
If the breach is as extensive as LulzSec has claimed, it would be the second major compromise that Sony has suffered since mid-April, when intruders broke into its PlayStation Network and Sony Online Entertainment networks.
Those breaches resulted in the compromise of personal data belonging to nearly 100 million account holders.
The attacks, such as the one carried out against Sony Pictures by LulzSec, have been designed largely to embarrass Sony, which has sparked the wrath of many hackers for its hard line stance over copyright and IP protection.
The continuing attacks have become a huge issue for the company. Sony was forced to shut down its PlayStation Network and Sony Online Entertainment networks for several days to fix issues resulting from those intrusions. Even now the networks are still limping back to normal.
So far, Sony has hired at least three external security firms to help patch its networks. It also recently hired a new chief information security officer to help coordinate its security efforts. With the company's websites having been routinely broken into, despite such measures, many wonder just how porous Sony's networks are.
Sony itself characterized the PlayStation Network and Sony Online Entertainment intrusions as highly targeted and sophisticated cyberattacks. However, all of the publicly disclosed ones since then appear to have been the result of some fundamental security oversights on the part of the company.
Several of the attacks have resulted from SQL injection flaws that hackers have claimed were extremely easy to find and to exploit.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
- NSA used 'European bazaar' to spy on EU citizens
- Target CIO resigns following breach
- Evan Schuman: Mobile IT Roach Motel: Data checks in, but it won't check out
- Sears finds no evidence of data breach -- yet
- Gameover malware is tougher to kill with new rootkit component
- Mobile app for RSA Conference exposes personal data
- UK man charged with hacking Federal Reserve
- Bloomberg clamps down with data-access policies after scandal
- Amazon.com security slip allowed unlimited password guesses on mobile apps
- Huge turnout at RSA shows hackers are winning
Read more about Network Security in Computerworld's Network Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- BlackBeard Case Study In this case study, learn how a business with 95% of revenues generated online was hit by DDoS attacks over a 6-month period,...
- Four Ways DNS Can Accelerate Business Growth This e-book describes how DNS has developed over the years to support business growth as new needs have emerged, for example, advanced traffic...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Network Security White Papers | Webcasts