Where hacked Sony went wrong, and Lastpass got it right
Unless you have been living in Osama Bin Laden’s old cave, you can’t have failed to notice that Sony is having a bad time of it right now.
First the PlayStation Network is hacked and customer data compromised, and then we discover that the Sony Online Entertainment network has suffered the same fate. There has been plenty written, including some excellent editorial here at PC Pro, covering the what and why of the breach, so there is little point me going over that again.
I’m more interested in how Sony responded after discovering the breach. Did the gaming giant get it right regarding disclosure in this case? Is the Pope a belly dancer?
It was bad enough that Sony took so long to inform customers of the PlayStation Network breach: a week is one heck of a long time. Yet that’s how long it took Sony, one of the biggest entertainment outfits on the planet, to confirm what data had been compromised and get around to informing customers that they might be at risk.
Simply not good enough, Sony. Yes, you need to get your facts straight before going public, but a week when your customers were at potential risk of credit-card fraud and you did nothing?
Ross Brewer, a director at log analysis firm LogRhythm, shares my surprise stating “compromised user accounts were discovered as early as 17 April… yet it has taken seven days to warn users that they are now at increased risk of email, telephone, and postal mail scams, as well as credit-card fraud”.
Simply not good enough, Sony. Yes, you need to get your facts straight before going public, but a week when your customers were at potential risk of credit-card fraud and you did nothing? As William Beer, a director in PwC’s information security practice, points out “the period after a breach is time-critical in terms of communicating with consumers, regulators and protecting reputation” – especially when consumer trust is being tested by the amount of personal information they are expected to divulge and entrust to gain the benefits of an online service. Even the EU Justice Commissioner Viviane Reding has said that seven days “is much too long”.
But that’s not the half of it. It turns out that the Sony Online Entertainment network, which serves PC gamers and saw a further 24.6 million customer details compromised to add to the 50 million on the PlayStation Network itself, was actually hacked first. Sony knew about the hack, but didn’t believe any customer data had been compromised so kept quiet. Big mistake, as it turns out. The reputation of Sony will, in my never humble opinion, have been hurt much more by the creeping revelations of consumer data exposure than the short-term harm of warning customers to be on guard, just in case.
Lastpass sets the example
If Sony wants to know what it should have done, then look no further than the emerging story of a potential hack attack at the Lastpass password management service. The company “noticed an issue” yesterday whereby its logs revealed a network traffic anomaly on a non-critical machine and upon investigation, having been unable to identify the root cause and spotting some matching activity regarding outbound traffic, concluded there was the potential for a hacker to have breached the database and transferred email addresses, the server salt and their salted password hashes.
Rather than keep mum through fear of reputational harm, Lastpass immediately its users and put in place a procedure to force them to change their master passwords. “The potential threat here is brute forcing your master password using dictionary words, then going to LastPass with that password to get your data” a Lastpass spokesperson said. “Unfortunately not everyone picks a master password that’s immune to brute forcing”.
As well as forcing the password change, Lastpass required the request to come from a known IP or with an email validation for additional security. “We realise this may be an overreaction and we apologise for the disruption this will cause” the spokesperson said “but we’d rather be paranoid and slightly inconvenience you than to be even more sorry later”.
Now that may sound like commercial suicide when you consider that this is a security outfit offering a password vault service admitting that it may have been compromised. I beg to differ: this is a security company taking its responsibilities seriously (although if a breach has taken place, then some difficult questions need to be asked). Disclosing quickly and honestly maintains the trust relationship with its customers.
Are you listening Sony?