Just before the weekend, Sony Pictures issued a statement to confirm it did indeed have its website compromised by hackers last week.
As we reported last week, hacker group LulzSec accessed the SonyPictures.com database and a million customer details, making off with at least 50,000 of them and data including emails, home addresses, passwords, dates of birth and so on.
This is doubly embarrassing for Sony given that it follows the PSN hacking incident which saw its PS3 gaming network down for nearly a month.
Chairman and CEO Michael Lynton along with Co-Chairman Amy Pascal issued a statement which read: “The cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well. [Last Thursday] afternoon a group of criminal hackers known as ‘LulzSec’ claimed to have breached some of our websites.”
“We have confirmed that a breach has occurred and have taken action to protect against further intrusion. A respected team of outside experts is conducting a forensic analysis of the attack.”
Sony has contacted the FBI (again) and “deeply regrets and apologizes for any inconvenience caused to consumers by this cybercrime”.
What Sony hasn’t mentioned is the data, and indeed passwords, were reportedly unencrypted, a shameful state of security – and the attack was facilitated by a simple SQL injection.
If this is true, quite why the site had such pitiful security measures in place is what customers are really waiting for an explanation about. And if it isn’t true, you’d assume Sony would have mentioned that in the official statement.