It's been several months since the massive hack
that brought the PlayStation Network to its knees. For Sony, the nightmare isn't over. A new lawsuit filed this past week alleges that the company ignored the warnings of its own staff, made no attempt to address the small break-ins now seen as precursors to the huge assault that followed, and actually fired security personnel immediately prior to the break-in.
There are numerous allegations. The company is accused of lavishly upgrading its own corporate security while neglecting to safeguard consumer information. This last is an established fact--while Sony remains the genuine victim of an attack, the company's external-facing servers were running outdated security software with known flaws. There were actually two
significant incidents—77 milion accounts in North America and Europe were accessed in April, while an additional 25 million accounts were lifted on May 2.
The suit doesn't name how many SOE (Sony Online Entertainment) employees were laid off, but notes that the number was a "substantial percentage." If the suit is accurate, Sony may end up looking worse than it aready does. Unlike the data breach, which we didn't think would cause long-term harm, a case that demonstrated corporate suits were only concerned with patching security flaws on the corporate side of the equation really *could* leave a bad taste in customers' mouths.
As much as this news could make Sony's lousy PR situation even worse, we suspect Sony's decision to fire some portion of its security personnel had remarkably little to do with the success of the two hacks in question. Some of the flaws in Sony's security system had existed for quite some time and would only have been fixed by changes to corporate policy as opposed to simply having more cooks in the kitchen. In the absence of intelligent IT policy, the best security gurus in the world can do little more than watch a disaster unfold.
The plaintiffs in the case (Felix Cortorreal, Jacques Daoud Jr, and Jimmy Cortorreal allege that Sony should have known that a larger breach was imminent based on the smaller attacks that occurred in the preceding weeks. If the judge agrees with this line of reasoning, Sony's faiure to secure its network (and the firing of a section of staff) could look very bad indeed. On the other hand, technical data on the nature of the attacks could actually help exonorate the company. We can safely assume that the externally facing servers of the PSN were banged on by would-be attackers on a fairly regular basis. It's one thing to say a company failed to recognize/respond to a small-scale test of a large-scale tactic. Whatever attacks occurred prior to the Big One, they may or may not be connected.