Presentation Transcript

1. Sony: The World’s Largest Data Breach

   Presented by: Lukas Heiser MIS 340 Section 3 Professor Safonov
2. https://www.youtube.com/watch?v=rtXzaipgH8g
3. Why are systems vulnerable? Data is much more vulnerable in electronic form than manually. The potential for unauthorized access, abuse, or fraud can occur at any access point in a network. Can happen from technical, organizational, and environmental factors when compounded with poor management decisions. Things to do: People: Develop security policies and a plan Organization: Deploy security team Technology: Website security system, individual security technologies
4. What happened? Hackers had stolen personal information (names, birth dates, phone numbers, addresses, and credit card information) from all 77 million users. Hackers also drained information off of Sony’s website, took music codes, and 3.5 million coupons. In a normal year, losses of personal information from online systems involves 100 million people. Sony’s data breach exceeded this statistic in a single attack. Supposedly this was a “revenge hack” by the internet hack group “Anonymous”, after Sony’s civil suit against George Holtz, one of the worlds best known hacker’s. Anonymous claims that Sony needs to admit its incompetence in computer security.
5. Security breaches Most computer breaches are a result of management failure, sloppy procedures, lack of training, carelessness, outdated software, and unwillingness to spend resources on expensive security measures. According to Eugene Spafford, executive director of the Center for Education and Research in Information Assurance and Security (CERIAS), the playstation network was using an older version of web server software which has well-known security issues. Also, Sony’s website had poor fire wall protection (this problem was even brought up on a forum months before the incident).
6. Encryption Encryption is the process of transforming plain text or data into cipher text that cannot be read by anyone but the sender and intended receiver. The reason most personal data is not encrypted in a large scale private databases is because of cost. Encrypting their customers data would’ve cut into their profits drastically because IT is such a huge part of its cost structure due to it being an internet-based enterprise.
7. Response Sony decided to announce and apologize to its customers a week after the breach when they should’ve immediately. Sony says they were the victim of a highly sophisticated criminal cyber attack. They also offered customers free games and privacy protection through a private security firm at Sony’s expense. It took Sony 4 weeks to restore partial service.
8. Case Questions What were Sony’s security and control weaknesses? Old server system (could’ve upgraded), didn’t spend money on encryption. What contributed to these problems? Poor management decisions. What was the business impact of the Sony data losses on Sony and its customers? Had to pay $170 million for these measures plus legal costs, bad rep and loss of customers (old, current, and new). What solutions would you suggest to prevent these problems? Better management and decision making skills. Protecting your customers by making sure software is top of the line and encrypted.