Sony, Sony, Sony. You never learn anything the second, third, fourth, or fifth time you are kicked by the same horse! On Tuesday Sony confirmed that someone hacked into its website and stole about 2,000 customer names, e-mail addresses, and a hashed version of their passwords. Close to 1,000 of the records have already been posted online by a hacker calling himself Idahc, and claiming to be a “Lebanese grey-hat hacker.” Idahc used an SQL injection flaw allowing him to acces the records on the Canadian version of the Official Sony Ericsson eShop online store for mobile phones and accessories.
Sony Ericsson has disabled the e-commerce site, confirming that this is a standalone website and it is not connected to Sony Ericsson servers. No personal or banking information appears to have been compromised.
Earlier this year Sony gained the attention of hackers worldwide by suing George Hotz who’d found a way to break Sony’s protective controls, and installed Linux on his PlayStation 3. Sony eventually settled with Hotz, but apperaed to most as a bully in the affair. Sony’s online presences have been under sustained attack since then. In April, its PlayStation Network was hacked and then pulled offline. To date, there have been at least five publicly known hacks of Sony web sites around the world. In the past week, Sony BMG Japan, Sony BMG Greece, the So-net Internet service provider, and a company server in Thailand all have been compromised, one by one. Earlier this week, Sony had estimated the attacks will cost at least US$170 million.
Sony’s continued problems reflect what appears to be a cavalier attitude toward computer security, looking a lot like a company where security was merely an afterthought that got in the way of performance and convenience. This is the result of that attitude, and taking up a little spotlight time in the public eye. Secure your assets.