Lawsuit Claims Sony Canned Security Staff Just Before Data Breach 99
Stoobalou writes "A lawsuit filed this week suggests that Sony sacked a group of employees from its network security division just two weeks before the company's servers were hacked and its customers' credit card details were leaked. The suit, which seeks class action status, is being brought by victims of the massive data breach that took place in April."
Error 503 Service Unavailable (Score:1)
Welcome back (Score:2)
https:// (Score:4, Informative)
Re: (Score:2)
OMG Thank you. I'm definitely trying that next time. Refreshed a story for like 10 minutes earlier and never got to it. This one took a few minutes and finally worked.
Re: (Score:1)
So was how some folks at my workplace were able to access Facebook before it was known to the IT dept.
Re: (Score:2)
So they sacked them too early (Score:1)
Or too late
Re:So they sacked them too early (Score:5, Interesting)
Or too late
Or the sacked were involved in the breach.
Re: (Score:3)
Or the sacked were involved in the breach.
this was the first conclusion I jumped to. There seems to be a few stories out there about disgruntled IT workers.
Never put security in the hands of someone you're not paying very well. And never tell an IT working they are being sacked until they are already gone and passwords have been changed.
Re: (Score:2)
Or they sacked them because the breach was done years ago and the higher ups saw that their sec team was completely incompetent.
Regardless of why and how I firmly believe that the breach was wide open well before it got publicly known.
Re: (Score:2)
Higher ups saw something early? Nah.
Its not in the nature of higher ups to know the details of the work their underlings do in this pointy-haired world.
I suspect it is what it looks like, and even if the sacked workers were not directly involved there was
probably some private communication on some back channel.
My most generous evaluation upon hearing this was that those who were supposed to be watching the logs and responding to alarms were gone, which makes it Sony's fault. My most pessimistic evaluation
Re: (Score:3)
Re: (Score:2)
Or they sacked them because the breach was done years ago and the higher ups saw that their sec team was completely incompetent.
Regardless of why and how I firmly believe that the breach was wide open well before it got publicly known.
I am sure that is what most execs would like to believe, however, their arrogance usually knows no bounds. Being so full of themselves, they obviously bit off more than they could chew.
You have attributed conditions to villainy that simply result from stupidity. - RAH
Re:So they sacked them too early (Score:4, Insightful)
And never tell an IT working they are being sacked until they are already gone and passwords have been changed.
That is terrible advice, especially the "never" part.
There is a cost to treating employees that way - it promotes a pervasive culture of distrust within the company that can be extremely damaging. It tends to chase the best and brightest on to somewhere else where they feel more respected and encourages a punch-clock mentality among those who do stay.
It isn't like a unilateral policy is a guarantee against sabotage anyway - it doesn't take a whole of lot of brain-power for an off-balance IT guy to set up a dead-man's switch that will kick off a bunch of havoc unless he logs in to disarm it on a regular basis.
Far better that managers should actually manage and determine on a case by case basis if the person being terminated requires exceptional handling or not.
Kicking the dog (Score:2)
Re: (Score:1)
Re: (Score:1)
Re:So they sacked them too early (Score:5, Funny)
Re: (Score:2)
And THAT explains the breaches.
Re:So they sacked them too early (Score:4, Informative)
2 weeks (Score:5, Insightful)
Like 2 weeks was enough to cause the massive problems Sony had. Hah.
No, more like, Sony found out they were incompetent and was firing them for that. Too little too late, obviously.
And what should have Sony done, when they realized they weren't secure? Shut down their entire business for months until they could hopefully secure things?
I'm not pulling 'months' from nowhere, either. Sony's Japanese PSN is still down while they secure it because the government won't let them bring it back up.
Re:2 weeks (Score:5, Insightful)
Re: (Score:1)
Or Sony fired them then purposely neutered their security systems to start a false-flag operation to convince the world governments to enact stricter internet standards in order to stop piracy.
Re: (Score:2, Funny)
And somewhere within the labyrinthine Sony Complex, seated at an empty conference table, Mr. Kato folds his hands. "Just as planned," he whispers.
Re: (Score:2)
I think that's about enough plot to make a movie! Do AC's have copyrights?!
Re: (Score:2)
"Comments owned by the poster."
Whoever the poster is...
Re: (Score:2)
Or Sony fired them then purposely neutered their security systems to start a false-flag operation to convince the world governments to enact stricter internet standards in order to stop piracy.
Or Bush ordered the hack because PSN users were close to uncovering the truth about the involvement of giant lizard-built space lasers in the 9/11 setup...
'Why Bush' you ask? Well, Obama is literally a puppet, a mechatronic puppet; controlled by brainwaves from the fleet of orbiting spacecraft piloted by angels who protect us from the lizards. And....
(While we're on crazy theories)
Re:2 weeks (Score:5, Funny)
Well, Obama is literally a puppet, a mechatronic puppet; controlled by brainwaves from the fleet of orbiting spacecraft piloted by angels who protect us from the lizards. And....
Much simpler and more nefarious than that. He's receives his control messages from one or more visual cuing devices placed in front of him whenever he appears in public, which contain encoded messages for him to speak at the appropriate times.
Humans, I mean we, call them 'teleprompters'.
Re: (Score:1)
You don't need anything so complicated. Just hack his teleprompters, and you own him.
Bush refused to use teleprompters... (Score:2)
Re: (Score:2)
"I like-a do the cha-cha"...
Re: (Score:1)
Well, Obama is literally a puppet, a mechatronic puppet; controlled by brainwaves from the fleet of orbiting spacecraft piloted by angels who protect us from the lizards. And....
Much simpler and more nefarious than that. He's receives his control messages from one or more visual cuing devices placed in front of him whenever he appears in public, which contain encoded messages for him to speak at the appropriate times.
Humans, I mean we, call them 'teleprompters'.
So you're saying he's like a black Ron Burgundy.
Re: (Score:1)
Re: (Score:2)
Now we know David Icke's [google.com] slashdot ID.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Like 2 weeks was enough to cause the massive problems Sony had. Hah.
Two weeks was plenty of time if some of these people participated, or simply supplied account names and passwords
to people already well versed in hacking sites and leaving no tracks.
The massive problems were caused by Sony taking the systems off line to secure them. The hackers themselves
probably didn't do much damage at all.
Re:2 weeks (Score:5, Insightful)
We're speculating here, and it's easy enough to cast the fired guys as villains or victims depending on what you want to imagine.
In the universe where they're victims:
That the security breech occurred so soon after these guys were fired is far from proof that they were incompetents. Two weeks is plenty of time for key systems to be mis-configured by a replacement who doesn't understand what's going on, or to fail to perform some important maintenance task like applying a critical security patch. It is also possible that the attack ought to have been detected and contained, but there was nobody left who knew how to do that.
In the universe where they're villains:
That the security breech occurred so soon after these guys were fired suggests they failed to secure the system, or were in fact actually malicious themselves. Two weeks would not be enough time to fix much after you fired them.
In any conceivable universe:
It would be stupid fire all your security guys for incompetence without bringing in replacements *first*. Even if these guys are incompetent, they know details that their competent replacements will need to know, and which are probably not well documented. Not knowing these details would set the competent replacements back far enough that they might take several more weeks to get things locked down properly.
Being prepared before you give the old team the boot goes even if you have *malicious* network guys. If management knows its job, they get the security tiger team AND the legal team AND the computer forensics team ready for action before the evil admins realize anyone's on to them. Then one morning the admins find themselves locked out of work and subpoenaed, and the systems all shut down damn the cost until the new security team say it's kosher to open for business.
In the universe we actually live in:
As yet we know very little about how the security disaster happened, and have no idea whether the events mentioned in the lawsuit are relevant at all.
Re: (Score:2)
You forgot the conspiracy theory universe:
1) Hackers hack into unsecured Sony executive's laptop to plant evidence of malfeasance of key security group.
2) Key security group is fired.
3) Hackers hack Sony site(s) left vulnerable by changing of the guard.
4) Hackers sue Sony for firing security people.
5) Profit!!
Re: (Score:1)
Which scenario has the goatees?
Re: (Score:2)
That the security breech occurred so soon after these guys were fired is far from proof that they were incompetents. Two weeks is plenty of time for key systems to be mis-configured by a replacement who doesn't understand what's going on, or to fail to perform some important maintenance task like applying a critical security patch. It is also possible that the attack ought to have been detected and contained, but there was nobody left who knew how to do that.
Or management had been requesting an incredibly stupid thing for months and the security team had been refusing for as long because of the extreme risk. The new team promptly complied with management since they knew what got the last guys fired.
Re: (Score:1)
Re: (Score:2)
Like 2 weeks was enough to cause the massive problems Sony had. Hah.
Large layoffs in large companies are rarely a big secret. Meaning that people likely new months in advance. Now imaging what would you do if you knew that your department is going to get an axe? Would you be doing your normal job? - or drinking coffee and looking for a new job already?
No, more like, Sony found out they were incompetent and was firing them for that. Too little too late, obviously.
Such companies are run by accountants. To them security is a buzzword without any particular meaning. After a successful lawsuit it might get a real $$$ number and then they would start paying attention to it. But not a mome
Timeline (Score:1)
Re: (Score:1)
Posting anonymously because we had Sony in for a tech briefing in January...while I wasn't in the room, one of my colleagues led a discussion around security.
He basically came away stunned at the lack of focus and seriousness they about network security. It was about what a typical web-site (not an e-commerce site) would have had in 2000.
Whoever actually hacked them, it was made possible by executives who didn't understand the need, didn't invest in the right tech, and didn't have anything close to the righ
Re: (Score:2)
An email server I set up was fucked up when the person who was given the root password set all file permissions to read/write/execute by anyone, gave everyone shell accounts, opened up ssh access from anywhere and one user had the password "coffee". A script kiddie just did a simple dictionary attack then and owned the thing so I was called back to set it up again.
I use one of the platters of the
Re: (Score:3)
Or, perhaps, they fired the people who tried to tell them the emperor has no clothes? Seems to me you are assuming an awful lot.
Re: (Score:2)
Indeed, given the severity of the vulnerabilities, it's hard for me to believe that this wasn't something that Sony's executive board knew about. If they're like many other businesses, they didn't feel like paying the cost of securing the service and got bitten on the ass. Whether it was an inside job or not, the exploit wasn't particularly sophisticated and should have long since been patched.
So? (Score:3)
Re: (Score:2)
It's not like they were in the middle of implementing a new security schema when they were let go. I'm pretty sure the fail of Sony to protect customer information occurred months before this.
Unless these guys were being replaced by a "better" team then it goes to show a lax attitude towards security on Sony's part.
Built-in defense (Score:1, Insightful)
"They weren't doing their jobs so we fired them. Why do you think the intrusion happened in the first place?"
Re: (Score:2)
Unless it's a class action suit*, the lawyers represent the victims. When you need a lawyer, you NEED a lawyer.
*RTFA? Ewe muss bee knew hear!
Re: (Score:1)
As sm62704's sig used to say a long time ago, his original account was mcgrew and he lost the password. It has apparently been recovered.
So as he said, "Ewe muss bee knew hear"
and now for something completely different... (Score:5, Funny)
Re: (Score:2)
Lesson Learned? (Score:1)
And none of them hacked in to change the PowerPoint for shareholders to porn?
They must have not learned from our article earlier this week...
Are they responsible? (Score:1, Troll)
Anyone else thinking these guys may have had something to do with the hack themselves?
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Or quite possibly the security people informed the management about the problems and asked for budget to fix and were told no. I am guessing not many people saying they were at fault actually work for corporations...
Re:Are they responsible? (Score:5, Insightful)
Maybe they were fired because they complained too much that Sony didn't care about security. Or that they upped that complain into the CEO, that preferred the CIO version. Maybe they threatened to make the problem public and their boss didn't like it. Maybe they weren't seen as productive because they kept fixing things the entire day, instead of helping build new things, and were understaffed. Maybe the company didn't like the policies they tried to put in place, so not only didn't accept the policies, but also fired them (this option seems to be quite likely). Maybe they weren't competent enough to put some good security in place, but still dedicated enough to security so that they anoyed people. Or, finally maybe they were justly fired by incompentence.
The Natural Suspicion... (Score:2)
... is to suspect that if you fire someone in IT Security and your organization is hacked 2 weeks later... hmmm, who would be your first suspect?
Re: (Score:1)
I fired our janitors and two weeks later the place was a mess. The janitors did it!
I fired the police and two weeks later crime rates were sky high. The police are the culprits!
It all depends on what Sony did to keep security up after it fired the workers. If they didn't replace them with at least temporary contractors or IT people from other departments, then they intentionally left their guard down. Strike when the guard is down. Just because the events occurred near each other is circumstantial. If I was
Re: (Score:1)
But the question is why? (Score:2)
Were they all canned as a corporate profit/cost saving measure or because they were complaining about problems/security flaws and their upper management didn't want to hear about it? Or maybe they were all incompetent?
That's what really makes the difference in this case.
Re: (Score:1)
Were they really fired? That should be the first question asked. No need for conspiracy theories if nothing actually happened.
Re: (Score:2)
Corporate America does that from time to time, rather than having to pay out for unemployment, they make the job so hellishly miserable that the employee quits and the has the human trash at the unemployment insurance department cover their asses for it.
It boggles my mind as to why the adjudicators aren't prevented from being paid by the employers. The money should be coming from the state. But then again the money to pay for the USPTO should be coming from the Federal Government rather than from fees, so n
Re:But the question is why? (Score:4, Informative)
Who cares why they fired them- I want Sony $$ (Score:5, Interesting)
Re: (Score:2)
Re: (Score:1)
They gave you two free games and a month of Playstation Plus. They also give you a year worth of identity theft insurance. That is more than $0.99 from any Class Actions suit. Hell if you have a PSP then that is 4 games. Then there was the free movie rentals and 6 months of Qriocity music thing.
You can't complain that they didn't try to give you 'something.'
Some of things you mention did have class action suits. The root kit thing resulting in Sony replacing CDs.
Re: (Score:2)
I just want something out of SONY.
They already gave you a free rootkit, what do you want? Don't be greedy.
It won't happen overnight... (Score:1)
I can't see a bunch of disgruntled ex-employees creating this entire security breach in two weeks.
I _can_ see a bunch of losers getting fired for not doing their jobs.
But I can also _totally_ see a bunch of disgruntled ex-employees, after being forced to work for ages with a broken security system which they did not themselves build, "accidentally" letting slip some inside info about that system's existing vulverabilities in the weeks after being fired. "Yeah? You don't reckon you need security staff? Le
TFA doesn't answer the relevant question (Score:2)
The relevant question here isn't when they were sacked, or how many were sacked, but why they were sacked. The article doesn't really answer the question that matters. :^(
Re: (Score:2)
There's a reason the article doesn't answer that question; because the answer is really, really dull.
At least that is what I'm assuming. The truth of the matter is that two weeks prior to the company's servers being hacked (March 30th) Sony Online Entertainment was forced to lay off a large amount of staff (I believe the number I read was 1/3) due to financial reasons. This layoff included programmers, designers, artists, administrative staff, and yes, people involved in the network security division.
I for
Re: (Score:2)
Yeah, people think its like the movie hackers. Whenever an attack happens, an alarm goes off and a security sits down into a chair and frantically begins typing in a frantic attempt to protect the Gibson. "He's breached the 3rd firewall!!!"
That's just not how it works. Holes have to be closed *before* someone/something goes through them. If they hadn't found this hole for all the time it existed before it was exploited, odds are they weren't going to just happen to find it over the course of the
SONY and Meetings (Score:2, Interesting)
I've worked at SONY, though not in the security group. To do anything, there were at least 10 meetings to "decide to do something" followed by another 20 meetings to decide "WHAT" to do. Often, the WHAT wouldn't be possible, because the doers weren't invited.
SONY can spend lots and lots of money on things they believe will make them money and $0 on stuff that doesn't ... like security.
Where I worked was filled with IBM-Japan running AIX systems. Half of these people were really sharp and the other half, w
Lays offs and abandoned departments (Score:2)
As I wrote to SOE support about the everquest2.com service and characters profiles being outdated and bugged, they replied straight it was due to the service having no staff to fix anything. I thing this tell much about the state of lays-offs and ability to secure or update services. The everquest2.com website identify users using station SOE logins.
Here is the reply the gave:
Subject: Bugged character profiles [Incident: 110619-000022]
Response Via Email (TSR Steven G.) 06/23/2011 09:15 AM
Greetings leagri
Re: (Score:2)
Here is my reply to their statements:
I contest you took part of the assets I pay for as my SOE subscription, to abandon it as a pretending free service. Shall I sue Sony about that?
Even critically, you straight tell me there is no team to fix bugs and hence this service may as well be subject to data breaches, like the one your fired security team failed to fix in may, and caused six weeks of unavailability and caused critical data like credit cards numbers, passwords and private user data to leak in pirate
Pesky security folks (Score:2)
Can't live with them, and when you finally get rid of them, what follows is worse.
On a related note, why not trial-fire all these stupid managers and see what happens?
I normally wouldn't (Score:2)
But I feel it's appropriate to say hahahahahahaha.
If there was a lesson to be learned I feel it was probably lost amongst all the inevitable finger pointing and 'covering of ass' and other machinations. But don't worry, the appropriate tech staff not involved in the decision were reprimanded for not picking up the slack left but the involuntary departure of the security team.
Rest assured, no management was harmed in the production of this stupidity.
This is a silly premise for a lawsuit (Score:2)
I do believe Sony was negligent in its handling of sensitive customer information, though this is probably more common than we'd like to think. The vast majority of these exploits were found with an off-the-shell point-and-click vulnerability finder. That one website should fall to this sort of thing is a shame, when 20+ do over the span of a few weeks, its another matter entirely. Sony could have prevented many of these simply by running the exact same publicly named tool themselves after the first 2-3