Assets Stolen: More than 100 million customer account details and 12 million unencrypted credit card numbers.
Attackers were able to compromise three different databases containing sensitive customer information, including names, date of birth, and, to some extent, credit card numbers owned by Sony, affecting customers of PlayStation Network (PSN), Qriocity music and video service, and Sony Online Entertainment. So far, some nine Sony assets have been hacked as a result of the initial breach.
According to testimony by respected security expert Dr. Gene Spafford of Purdue University, Sony was using an outdated Apache server that was unpatched and had no firewall installed -- a fact that Sony knew about months before the breach went down. Last week hackers poured salt on the wound when they started to exploit PSN once again after Sony didn't fortify the password reset system in light of the fact that hackers had email addresses and dates of birth. The bad guys were able to change the password of users who had not changed the email associated with their PSN accounts before Sony shut down PSN once again to fix the problem.
Lessons Learned: A corporate culture devoid of security emphasis can cost a company a fortune in this day and age. According to reports out this week, Sony has spent $171 million so far on customer remediation, legal costs, and technical improvements in the wake of the breach -- and that cost is only rising. Recovery from such a massive breach can be not only expensive, but also embarrassing and damaging to the brand.
5. Victim: Texas Comptroller's Office
Assets Stolen: The names, Social Security numbers, and mailing addresses of 3.5 million individuals, plus dates of birth and driver's license numbers of some.
Sensitive information collected in databases by three Texas agencies -- the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC), and the Employees Retirement System of Texas -- were exposed for nearly a full year by the Texas Comptroller's Office on an unencrypted publicly accessible server. The employees responsible for putting the data online purportedly broke departmental procedures and were fired when the breach was discovered
Lessons Learned: Policies and procedures don't mean much when there are no technical controls or monitoring solutions installed to enforce them. The fact that employees were able to place database information in such a vulnerable position shows how policies without "teeth" can expose an organization. The State of Texas now faces two class-action lawsuits as a result of this breach, one of which is going for a $1,000 statutory penalty for each affected individual -- a whopping charge when it's aimed at a breach impacting millions.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.