Some troubling allegations have surfaced in the Sony data breach saga. According to a recent lawsuit filed in San Diego, Sony is accused of knowing that “it was at increased risk of attack.” The evidence for such, per timesofindia.com:
It has already experienced smaller breaches, which means that Sony knew it was a target (but then, aren’t all websites on-line targets all the time? Especially the mega-conglomerates?)
It fired employees in the Network Operations Center which is “responsible for preparing for, and responding to, security breaches” two weeks prior to the breaches
It installed firewalls and other security measures to protect the company data while not doing the same for its customer data
I’m not sure that the above evidence means that Sony knew anything; however, the last two are certainly troubling. Unless there’s an explanation for it.
Downsizing in Bad Times, or Something Else?
Sony couldn’t have known that firing employees in the Network Operations Center would have resulted in a breach two weeks later. On the other hand, if you have a laid-off employee with a chip on his shoulder, and he knows how bad Sony’s on-line security happens to be (and let’s not forget that the attacks Sony has sustained were very basic and evitable)….well, you get my drift.
Regardless of whether that occurred, the point is that everyone knows that the attacks are coming at some point. Firing a sizable number of people in charge of responding to an attack is a bad policy. At the same time, these are presumably the people who were supposed to ensure that the defenses were in place to begin with. We know those defenses were severely lacking. So, how useful would they have been when the attack finally came?
Maybe they were fired exactly because Sony finally wised up to the fact that these guys weren’t doing their jobs (and hindsight tells us that they weren’t).
That’s not to discount a scenario where a (shortsighted) bean counter arrives to the conclusion that Sony doesn’t need all these people waiting around for something significant to happen because nothing has happened…and probably never will. I mean, that’s why full disk encryption software programs like AlertBoot are usually deployed at an organization after a data breach takes place, be it a stolen computer or missing external USB hard drive.
But, let’s face it, Sony had some lax security in place. Giving the pink slip to all those people because they weren’t doing their jobs could be a possibility.
Our Data vs. Their Data?
The third allegation listed above, that Sony protected their own data while not doing something similar for customer data, seems to be the more serious (and bizarre) accusation: one of the crown jewels of any on-going operation is an organization’s customer list, and this is guarded jealously by most.
Much has been written about how it’s easier and cheaper to sell (or up-sell) to an existing customer than to a new one. And, there’s always the suits revolving around one company pilfering another company’s clients, or where former employees start a new company and have stolen the old company’s client list. I know of acquisitions where the main or sole purpose was the buyer trying to get its hands on the acquired company’s client list.
So, client data is not something that takes a backseat to your own data, at least not usually. In fact, client data is not usually thought of as “their data” as it is imagined to be “our client data.”
Which brings me to this point: client data is not usually stored separately from company data, completely siloed in a separate network. This in turn means that an attack on client data could be a means for entering the entire company network. Under such a scenario, it would be senseless to just protect “company data” and do nothing for the “client data.”
So, if the accusations are true, I’m not sure what to think. Perhaps Sony was rolling out security and they started with company data first and was eventually going to reach the client data? Or were their data security plans really so terrible that Sony overlooked many of the elementary aspects of data security?