Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Sony Security The Courts

Lawsuit Claims Sony Canned Security Staff Just Before Data Breach 99

Stoobalou writes "A lawsuit filed this week suggests that Sony sacked a group of employees from its network security division just two weeks before the company's servers were hacked and its customers' credit card details were leaked. The suit, which seeks class action status, is being brought by victims of the massive data breach that took place in April."
This discussion has been archived. No new comments can be posted.

Lawsuit Claims Sony Canned Security Staff Just Before Data Breach

Comments Filter:
  • by Anonymous Coward
    Service Unavailable Guru Meditation: XID: 1643227444 Varnish cache server
  • to the internet
  • https:// (Score:4, Informative)

    by TheNinjaroach ( 878876 ) on Friday June 24, 2011 @01:22PM (#36558382)
    Fixes my ability to view Slashdot articles.
    • by Aladrin ( 926209 )

      OMG Thank you. I'm definitely trying that next time. Refreshed a story for like 10 minutes earlier and never got to it. This one took a few minutes and finally worked.

    • by ideaz ( 1981092 )

      So was how some folks at my workplace were able to access Facebook before it was known to the IT dept.

    • The varnish guru's have been at it again. I just got the ability to post on the site from my work computer after 4 months of inactivity.
    • by tjkwentus ( 2291680 ) on Friday June 24, 2011 @01:41PM (#36558434) Homepage

      Or too late

      Or the sacked were involved in the breach.

      • Or the sacked were involved in the breach.

        this was the first conclusion I jumped to. There seems to be a few stories out there about disgruntled IT workers.

        Never put security in the hands of someone you're not paying very well. And never tell an IT working they are being sacked until they are already gone and passwords have been changed.

        • by McNihil ( 612243 )

          Or they sacked them because the breach was done years ago and the higher ups saw that their sec team was completely incompetent.

          Regardless of why and how I firmly believe that the breach was wide open well before it got publicly known.

          • by icebike ( 68054 )

            Higher ups saw something early? Nah.
            Its not in the nature of higher ups to know the details of the work their underlings do in this pointy-haired world.

            I suspect it is what it looks like, and even if the sacked workers were not directly involved there was
            probably some private communication on some back channel.

            My most generous evaluation upon hearing this was that those who were supposed to be watching the logs and responding to alarms were gone, which makes it Sony's fault. My most pessimistic evaluation

            • Irregardless of whether the security team were watching logs or not, there seems to be fundamental failures of their security teams in terms of network infrastructure, design and implementation. Unless they were removed because they were making too much noise about replacing their entire network with a more solid security based design, I would say this was a good move. Their security team was clearly ineffective. From everything that has come out, it didn't need to be an inside job to have been done and som
          • by slick7 ( 1703596 )

            Or they sacked them because the breach was done years ago and the higher ups saw that their sec team was completely incompetent.

            Regardless of why and how I firmly believe that the breach was wide open well before it got publicly known.

            I am sure that is what most execs would like to believe, however, their arrogance usually knows no bounds. Being so full of themselves, they obviously bit off more than they could chew.
            You have attributed conditions to villainy that simply result from stupidity. - RAH

        • by Jah-Wren Ryel ( 80510 ) on Friday June 24, 2011 @03:41PM (#36559998)

          And never tell an IT working they are being sacked until they are already gone and passwords have been changed.

          That is terrible advice, especially the "never" part.

          There is a cost to treating employees that way - it promotes a pervasive culture of distrust within the company that can be extremely damaging. It tends to chase the best and brightest on to somewhere else where they feel more respected and encourages a punch-clock mentality among those who do stay.

          It isn't like a unilateral policy is a guarantee against sabotage anyway - it doesn't take a whole of lot of brain-power for an off-balance IT guy to set up a dead-man's switch that will kick off a bunch of havoc unless he logs in to disarm it on a regular basis.

          Far better that managers should actually manage and determine on a case by case basis if the person being terminated requires exceptional handling or not.

        • Do you also blame poorly paid policemen for crime?
        • Couldn't agree more.
        • by L-four ( 2071120 )
          I wouldn't put it pass IT worker leaving putting in back doors for personal use.
      • by ElectricTurtle ( 1171201 ) on Friday June 24, 2011 @02:08PM (#36558810)
        Those responsible for sacking have been sacked. They've all been replaced at the last minute at great expense by trained llamas.
  • 2 weeks (Score:5, Insightful)

    by Aladrin ( 926209 ) on Friday June 24, 2011 @01:39PM (#36558420)

    Like 2 weeks was enough to cause the massive problems Sony had. Hah.

    No, more like, Sony found out they were incompetent and was firing them for that. Too little too late, obviously.

    And what should have Sony done, when they realized they weren't secure? Shut down their entire business for months until they could hopefully secure things?

    I'm not pulling 'months' from nowhere, either. Sony's Japanese PSN is still down while they secure it because the government won't let them bring it back up.

    • Re:2 weeks (Score:5, Insightful)

      by zigziggityzoo ( 915650 ) on Friday June 24, 2011 @01:42PM (#36558446)
      Or - they were fired, and two weeks later hacked into the systems themselves.
      • by Anonymous Coward

        Or Sony fired them then purposely neutered their security systems to start a false-flag operation to convince the world governments to enact stricter internet standards in order to stop piracy.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          And somewhere within the labyrinthine Sony Complex, seated at an empty conference table, Mr. Kato folds his hands. "Just as planned," he whispers.

        • Or Sony fired them then purposely neutered their security systems to start a false-flag operation to convince the world governments to enact stricter internet standards in order to stop piracy.

          Or Bush ordered the hack because PSN users were close to uncovering the truth about the involvement of giant lizard-built space lasers in the 9/11 setup...

          'Why Bush' you ask? Well, Obama is literally a puppet, a mechatronic puppet; controlled by brainwaves from the fleet of orbiting spacecraft piloted by angels who protect us from the lizards. And....

          (While we're on crazy theories)

          • Re:2 weeks (Score:5, Funny)

            by Obfuscant ( 592200 ) on Friday June 24, 2011 @02:14PM (#36558876)

            Well, Obama is literally a puppet, a mechatronic puppet; controlled by brainwaves from the fleet of orbiting spacecraft piloted by angels who protect us from the lizards. And....

            Much simpler and more nefarious than that. He's receives his control messages from one or more visual cuing devices placed in front of him whenever he appears in public, which contain encoded messages for him to speak at the appropriate times.

            Humans, I mean we, call them 'teleprompters'.

            • You don't need anything so complicated. Just hack his teleprompters, and you own him.

            • Well, Obama is literally a puppet, a mechatronic puppet; controlled by brainwaves from the fleet of orbiting spacecraft piloted by angels who protect us from the lizards. And....

              Much simpler and more nefarious than that. He's receives his control messages from one or more visual cuing devices placed in front of him whenever he appears in public, which contain encoded messages for him to speak at the appropriate times.

              Humans, I mean we, call them 'teleprompters'.

              So you're saying he's like a black Ron Burgundy.

            • Heck, Obama doesn't even sign the Bills anymore. He has a computer pen do it for him! He's laughing at all of his in his MIDI voice once the cameras are off.
          • by turgid ( 580780 )

            Now we know David Icke's [google.com] slashdot ID.

    • What's probably more relevant to the suit was whether Sony was aware of the alleged small scale attacks and did nothing about. The layoffs may not have had any impact on the security of Sony as it assumes the laid off personnel had the skills and could have secured the servers in question.
    • by icebike ( 68054 )

      Like 2 weeks was enough to cause the massive problems Sony had. Hah.

      Two weeks was plenty of time if some of these people participated, or simply supplied account names and passwords
      to people already well versed in hacking sites and leaving no tracks.

      The massive problems were caused by Sony taking the systems off line to secure them. The hackers themselves
      probably didn't do much damage at all.

    • Re:2 weeks (Score:5, Insightful)

      by hey! ( 33014 ) on Friday June 24, 2011 @03:17PM (#36559694) Homepage Journal

      We're speculating here, and it's easy enough to cast the fired guys as villains or victims depending on what you want to imagine.

      In the universe where they're victims:

      That the security breech occurred so soon after these guys were fired is far from proof that they were incompetents. Two weeks is plenty of time for key systems to be mis-configured by a replacement who doesn't understand what's going on, or to fail to perform some important maintenance task like applying a critical security patch. It is also possible that the attack ought to have been detected and contained, but there was nobody left who knew how to do that.

      In the universe where they're villains:

      That the security breech occurred so soon after these guys were fired suggests they failed to secure the system, or were in fact actually malicious themselves. Two weeks would not be enough time to fix much after you fired them.

      In any conceivable universe:

      It would be stupid fire all your security guys for incompetence without bringing in replacements *first*. Even if these guys are incompetent, they know details that their competent replacements will need to know, and which are probably not well documented. Not knowing these details would set the competent replacements back far enough that they might take several more weeks to get things locked down properly.

      Being prepared before you give the old team the boot goes even if you have *malicious* network guys. If management knows its job, they get the security tiger team AND the legal team AND the computer forensics team ready for action before the evil admins realize anyone's on to them. Then one morning the admins find themselves locked out of work and subpoenaed, and the systems all shut down damn the cost until the new security team say it's kosher to open for business.

      In the universe we actually live in:

      As yet we know very little about how the security disaster happened, and have no idea whether the events mentioned in the lawsuit are relevant at all.

      • by joebok ( 457904 )

        You forgot the conspiracy theory universe:

        1) Hackers hack into unsecured Sony executive's laptop to plant evidence of malfeasance of key security group.
        2) Key security group is fired.
        3) Hackers hack Sony site(s) left vulnerable by changing of the guard.
        4) Hackers sue Sony for firing security people.
        5) Profit!!

      • by Tablizer ( 95088 )

        Which scenario has the goatees?

      • by sjames ( 1099 )

        That the security breech occurred so soon after these guys were fired is far from proof that they were incompetents. Two weeks is plenty of time for key systems to be mis-configured by a replacement who doesn't understand what's going on, or to fail to perform some important maintenance task like applying a critical security patch. It is also possible that the attack ought to have been detected and contained, but there was nobody left who knew how to do that.

        Or management had been requesting an incredibly stupid thing for months and the security team had been refusing for as long because of the extreme risk. The new team promptly complied with management since they knew what got the last guys fired.

    • It's not like the Japanese are all that proactive or effective about safety and security. The Fukushima Daiichi nuclear plant has made that abundantly clear. Perhaps too much rigid hierarchical thought processes.
    • Like 2 weeks was enough to cause the massive problems Sony had. Hah.

      Large layoffs in large companies are rarely a big secret. Meaning that people likely new months in advance. Now imaging what would you do if you knew that your department is going to get an axe? Would you be doing your normal job? - or drinking coffee and looking for a new job already?

      No, more like, Sony found out they were incompetent and was firing them for that. Too little too late, obviously.

      Such companies are run by accountants. To them security is a buzzword without any particular meaning. After a successful lawsuit it might get a real $$$ number and then they would start paying attention to it. But not a mome

      • December 29, 2010 Fail Overflow has a hacking PS3 press conference talking about how the PS3 was hacked. They publicly show how each part of the PS3 security setup is a failure.
      • Early April, 2011 Sony fires some people in the security team
      • April 16-17, 2011 PSN is hacked resulting in loss of customer info
    • by Anonymous Coward

      Posting anonymously because we had Sony in for a tech briefing in January...while I wasn't in the room, one of my colleagues led a discussion around security.

      He basically came away stunned at the lack of focus and seriousness they about network security. It was about what a typical web-site (not an e-commerce site) would have had in 2000.

      Whoever actually hacked them, it was made possible by executives who didn't understand the need, didn't invest in the right tech, and didn't have anything close to the righ

    • by dbIII ( 701233 )
      Somebody without adult supervision can seriously fuck up the security on a server in a lot less than two weeks.
      An email server I set up was fucked up when the person who was given the root password set all file permissions to read/write/execute by anyone, gave everyone shell accounts, opened up ssh access from anywhere and one user had the password "coffee". A script kiddie just did a simple dictionary attack then and owned the thing so I was called back to set it up again.
      I use one of the platters of the
  • by 228e2 ( 934443 ) on Friday June 24, 2011 @01:41PM (#36558444)
    It's not like they were in the middle of implementing a new security schema when they were let go. I'm pretty sure the fail of Sony to protect customer information occurred months before this.
    • It's not like they were in the middle of implementing a new security schema when they were let go. I'm pretty sure the fail of Sony to protect customer information occurred months before this.

      Unless these guys were being replaced by a "better" team then it goes to show a lax attitude towards security on Sony's part.

  • Built-in defense (Score:1, Insightful)

    by DaveV1.0 ( 203135 )

    "They weren't doing their jobs so we fired them. Why do you think the intrusion happened in the first place?"

  • by space_jake ( 687452 ) on Friday June 24, 2011 @01:46PM (#36558506)
    Those responsible for the sacking have also been sacked.
  • And none of them hacked in to change the PowerPoint for shareholders to porn?

    They must have not learned from our article earlier this week...

  • Anyone else thinking these guys may have had something to do with the hack themselves?

    • by Nikker ( 749551 )
      From a legal prospect it would seem as an amazing scape goat. Also it could prove Sony had a role in letting the service continue running on cruise control while knowing it was likely to break down.
      • Or quite possibly the security people informed the management about the problems and asked for budget to fix and were told no. I am guessing not many people saying they were at fault actually work for corporations...

    • by marcosdumay ( 620877 ) <(marcosdumay) (at) (gmail.com)> on Friday June 24, 2011 @02:37PM (#36559170) Homepage Journal

      Maybe they were fired because they complained too much that Sony didn't care about security. Or that they upped that complain into the CEO, that preferred the CIO version. Maybe they threatened to make the problem public and their boss didn't like it. Maybe they weren't seen as productive because they kept fixing things the entire day, instead of helping build new things, and were understaffed. Maybe the company didn't like the policies they tried to put in place, so not only didn't accept the policies, but also fired them (this option seems to be quite likely). Maybe they weren't competent enough to put some good security in place, but still dedicated enough to security so that they anoyed people. Or, finally maybe they were justly fired by incompentence.

  • ... is to suspect that if you fire someone in IT Security and your organization is hacked 2 weeks later... hmmm, who would be your first suspect?

    • I fired our janitors and two weeks later the place was a mess. The janitors did it!
      I fired the police and two weeks later crime rates were sky high. The police are the culprits!

      It all depends on what Sony did to keep security up after it fired the workers. If they didn't replace them with at least temporary contractors or IT people from other departments, then they intentionally left their guard down. Strike when the guard is down. Just because the events occurred near each other is circumstantial. If I was

    • The new guys. They came on and then 1 week later. Bam! Hacked.
  • Were they all canned as a corporate profit/cost saving measure or because they were complaining about problems/security flaws and their upper management didn't want to hear about it? Or maybe they were all incompetent?

    That's what really makes the difference in this case.

    • Were they really fired? That should be the first question asked. No need for conspiracy theories if nothing actually happened.

      • Corporate America does that from time to time, rather than having to pay out for unemployment, they make the job so hellishly miserable that the employee quits and the has the human trash at the unemployment insurance department cover their asses for it.

        It boggles my mind as to why the adjudicators aren't prevented from being paid by the employers. The money should be coming from the state. But then again the money to pay for the USPTO should be coming from the Federal Government rather than from fees, so n

  • by gearloos ( 816828 ) on Friday June 24, 2011 @03:07PM (#36559568)
    I could honestly care less why they sacked them. I just want something out of SONY. For the PS3 storing open text negligence, for taking away a feature I paid for (Linux- Other OS) and not giving a rats ass about me, for the Rootkit they put on my system with no real punishment, for the liars that lobbied the Bluray to win over the far superior technology that was HDDVD, for well, "EVERYTHING SONY". For the rootkit alone, their senior staff should have been criminally prosecuted. If I was to put a rootkit on a SONY Server by giving an employee a cd to listen to at work, I'd certainly be in jail. The best part- I went to GTPlanet (for the Gran Turismo Game, GT5) after this and the dam Fanboi mentality of today is every post I saw that complained or said anything remotely bad was shut down by 100 posts saying Sony is such a great company for trying to rebuild everything and that it is so great they are looking out by telling everyone about it..blah blah blah I've had enough- Boycott these thieving asshats. I want my $0.99 from the Class Action Suit. It's almost as good as a company changing the law like Verizon and ATT with their "Unlimited" Plans that are actually 5GB or less.... Truth in advertising? But I digress... I only mention them because they are also tops up there on the list with Sony of companies that do what they please and colude but yet give lots of $$ to lobby their cause to a corrupt (or rather incompetent) judicial system.
    • by jd2112 ( 1535857 )
      End result: Lawyers will get big $$$ in a settlement, you'll get a free month of PSN and a chance of identity theft after the next breach.
    • They gave you two free games and a month of Playstation Plus. They also give you a year worth of identity theft insurance. That is more than $0.99 from any Class Actions suit. Hell if you have a PSP then that is 4 games. Then there was the free movie rentals and 6 months of Qriocity music thing.

      You can't complain that they didn't try to give you 'something.'

      Some of things you mention did have class action suits. The root kit thing resulting in Sony replacing CDs.

    • I just want something out of SONY.

      They already gave you a free rootkit, what do you want? Don't be greedy.

  • I can't see a bunch of disgruntled ex-employees creating this entire security breach in two weeks.

    I _can_ see a bunch of losers getting fired for not doing their jobs.

    But I can also _totally_ see a bunch of disgruntled ex-employees, after being forced to work for ages with a broken security system which they did not themselves build, "accidentally" letting slip some inside info about that system's existing vulverabilities in the weeks after being fired. "Yeah? You don't reckon you need security staff? Le

  • The relevant question here isn't when they were sacked, or how many were sacked, but why they were sacked. The article doesn't really answer the question that matters. :^(

    • There's a reason the article doesn't answer that question; because the answer is really, really dull.

      At least that is what I'm assuming. The truth of the matter is that two weeks prior to the company's servers being hacked (March 30th) Sony Online Entertainment was forced to lay off a large amount of staff (I believe the number I read was 1/3) due to financial reasons. This layoff included programmers, designers, artists, administrative staff, and yes, people involved in the network security division.

      I for

      • Yeah, people think its like the movie hackers. Whenever an attack happens, an alarm goes off and a security sits down into a chair and frantically begins typing in a frantic attempt to protect the Gibson. "He's breached the 3rd firewall!!!"

        That's just not how it works. Holes have to be closed *before* someone/something goes through them. If they hadn't found this hole for all the time it existed before it was exploited, odds are they weren't going to just happen to find it over the course of the

  • SONY and Meetings (Score:2, Interesting)

    by Anonymous Coward

    I've worked at SONY, though not in the security group. To do anything, there were at least 10 meetings to "decide to do something" followed by another 20 meetings to decide "WHAT" to do. Often, the WHAT wouldn't be possible, because the doers weren't invited.

    SONY can spend lots and lots of money on things they believe will make them money and $0 on stuff that doesn't ... like security.

    Where I worked was filled with IBM-Japan running AIX systems. Half of these people were really sharp and the other half, w

    • As I wrote to SOE support about the everquest2.com service and characters profiles being outdated and bugged, they replied straight it was due to the service having no staff to fix anything. I thing this tell much about the state of lays-offs and ability to secure or update services. The everquest2.com website identify users using station SOE logins.

      Here is the reply the gave:

      Subject: Bugged character profiles [Incident: 110619-000022]
      Response Via Email (TSR Steven G.) 06/23/2011 09:15 AM
      Greetings leagri

      • by La Gris ( 531858 )

        Here is my reply to their statements:

        I contest you took part of the assets I pay for as my SOE subscription, to abandon it as a pretending free service. Shall I sue Sony about that?
        Even critically, you straight tell me there is no team to fix bugs and hence this service may as well be subject to data breaches, like the one your fired security team failed to fix in may, and caused six weeks of unavailability and caused critical data like credit cards numbers, passwords and private user data to leak in pirate

  • Can't live with them, and when you finally get rid of them, what follows is worse.

    On a related note, why not trial-fire all these stupid managers and see what happens?

  • But I feel it's appropriate to say hahahahahahaha.

    If there was a lesson to be learned I feel it was probably lost amongst all the inevitable finger pointing and 'covering of ass' and other machinations. But don't worry, the appropriate tech staff not involved in the decision were reprimanded for not picking up the slack left but the involuntary departure of the security team.

    Rest assured, no management was harmed in the production of this stupidity.

  • I do believe Sony was negligent in its handling of sensitive customer information, though this is probably more common than we'd like to think. The vast majority of these exploits were found with an off-the-shell point-and-click vulnerability finder. That one website should fall to this sort of thing is a shame, when 20+ do over the span of a few weeks, its another matter entirely. Sony could have prevented many of these simply by running the exact same publicly named tool themselves after the first 2-3

If all else fails, lower your standards.

Working...