Case Study Questions

1. List and describe the security and control weaknesses at Sony that are discussed in this case.

2. What people, organizational, and technology factors contributed to these problems?

3. What was the business impact of the Sony data losses on Sony and its customers?

4. What solutions would you suggest to prevent these problems?

Please read the case to give a good respond!!!

On April 19, 2011, system administrators at Sony's online gaming service PlayStation Network (PSN), with over 77 million users, began to notice suspicious activity on some of its 130 servers spread across the globe and 50 software programs. The PlayStation Network is used by Sony game machine owners to play against one another, chat online, and watch video streamed over the Internet. The largest single data breach in Internet history was taking place. On April 20, Sony engineers discovered that some data had likely been transferred from its servers to outside computers. The nature of the data transferred was not yet known but it could have included credit card and personal information of PlayStation customers. Because of the uncertainty of the data loss, Sony shut down its entire global PlayStation network when it realized it no longer controlled the personal information contained on these servers. On April 22, Sony informed the FBI of the potential massive data leakage. On April 26, Sony notified the 40 states that have legislation requiring corporations to announce their data breaches (there is no similar federal law at this time), and made a public announcement that hackers had stolen some personal information from all 77 million users, and possibly credit card information from 12 million users. Sony did not know exactly what personal information had been stolen. The hackers corrupted Sony's servers, causing them to mysteriously reboot. The rogue program deleted all log files to hide its operation. Once inside Sony's servers, the rogue software transferred personal and credit card information on millions of PlayStation users. On May 2 , Sony shut down a second service, Sony Online Entertainment, a San Diego-based subsidiary that makes multiplayer games for personal computers. Sony believed hackers had transferred personal customer information customers free games and privacy protection ("AllClear ID Plus") offered by a private security firm at Sony's expense for customers concerned about protecting their online identity. This offer is distributed to user e-mail accounts. The privacy protection plan does not offer an insurance policy against potential losses, but does help individuals monitor the use of their personal information by others. The company anticipated that it would have to pay $170 million in the 2011 financial year for these measures, plus associated legal costs. It took Sony four weeks to restore partial PlayStation service, and by May 31, the company had restored service to the United Sates, Europe, and Asia except for Japan. So far, no law enforcement agency has reported illegal use of credit cards stolen in the Sony affair. According to Frank Kenney, vice president of global security at Ipswitch, a company specializing in transferring files securely online, the fact that dozens of Sony Web sites and servers had been breached are a sure signs of a company-wide problem. Any type of environment can be breached, but Sony has to devise a plan that not only protects its infrastructure but also convinces customers that their credit card and personal information are safe. Sony's "brand is at stake," he said. Sony's security problems could take years to fix. The Sony data breach follows a string of recent breaches that are larger and broader in scope than ever before. The Privacy Rights Clearinghouse keeps a database of known data breaches. Prior to the Sony debacle, the largest data breach in 2011 occurred at Epsilon, the world's largest permission-based e-mail marketing services company with more than 2,500 corporate customers, including many major banks and brokerage firms, TiVo, Walgreens, and major universities. Epsilon sends out 40 billion e-mail messages a year for its clients. In April 2011, Epsilon announced a security breach in which millions of e-mail addresses were transferred to outside servers. One result of this breach was millions of phishing e-mails to customers and the potential for the loss of financial assets. As data breaches rise in significance and frequency, the Obama administration and Congress are proposing new legislation that would require firms to report data breaches within specific time frames, and sets standards for data security. The Data Accountability and Trust Act of 2011 being considered by Congress requires firms to establish security requirements and policies, notify potential victims of a data loss "without unreasonable delay," and notify a major media outlet and all major credit reporting agencies within 60 days if the credit card data on more than 5,000 individuals are at risk. Currently, 46 states have such legislation. In the past, many organizations failed to report data breaches for fear of harming their brand images. It is unclear if the proposed legislation would reduce the incidence of data breaches. Sources: Riva Richmond. "Hacker Group Claims Responsibility for New Soey Break-ln." New Vork flues, Jane 2. N0i1. lan Shert and Amy Schaiz. "Sony Details Hacker Atiack," Wadf Stret Jourmal, May 5, 201 l- Jese Fmspak, "Fixpert: Sony Had Onndated Softaare, Lax Secerity." IBtimes.oom, May 5, 2011; Eagene Spafford, "Teatimony before the House Encryy and Commence Suhcommitiee on Commeree, Manufacturiag, and Tracle, llearing on "The Threat of Data Theft to Anerican Consamers" May 5, 201l; "Data Accountabiliry and Treat Act" I12th Cangreas, IIR. 17o7, May 4, 201 I; Martya Williams, Payftation Network IIack Will Cost Somy SI7oM.," PC Wopld, May 23, 20I1. Nick Bilnon. "Sony's Security Problens Cowid Take Years to Fix, "New York Times, June 6, 2011. "letter to Bhonorable Mary Babo Black and Ranking Mleaber Hatterield, Seb Commithec oa Commeree, Manufacturing. and Trade, Unihed States Cengress, by Karoo Jirai. Chaman of the Bourd, Sony Corporacion. May 3, 2011: Ian Sherr "Hackers Breach Second Somy Service," Whil Sineet Joumef, Many 2, 201l: "International Strategy for Cyberspace," Office of the President, May 20ll: "Ppoilce Notifies Clicats of Unauhorieed Eniry ino E.mail System," Press Release, Hpsilon Corporation, April 1. 2011 Case Study Questions 1. List and describe the security and control weaknesses at Sony that are discussed in this case. 2. What people, organizational, and technology factors contributed to these problems? 3. What was the business impact of the Sony data losses on Sony and its customers? 4. What solutions would you suggest to prevent these problems