Sony shows signs of learning after second breach

93,000 user account compromised in new attack

Entertainment giant Sony has won praise for its proactive response to hacking attacks, which saw up to 93,000 customer account logins compromised.

In a statement Sony confirmed that it had detected attempts to test a "massive set of sign-in IDs and passwords" for its Entertainment Network, Playstation Network and Online Entertainment accounts.

While most of the attempts to match login credentials failed, approximately 93,000 accounts were compromised, said Philip Reitinger, chief information security officer at Sony Group.

"These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or other sources," he added.

Sony had locked those accounts and emailed users advising them to reset their passwords, Reitinger said. He also claimed that users' credit card numbers were not at risk.

Reitinger, who has held security posts at Microsoft and the US Department of Homeland Security, has only recently arrived at Sony (he took up his post in September) giving him little time to effect any drastic changes at the firm.

Nevertheless, alerting customers to the potential problem suggested that the company showed signs of understanding the importance of securing its data, said Tony Lock, an analyst with Freeform Dynamics.

"Companies are far more likely to keep customers and maintain their loyalty when they feel the company is being open about potential problems," he said.

Earlier in the year, Sony had reluctantly admitted that it had suffered a critical security breach - one of the biggest in the history of cyber attacks - which had resulted in 70 million of its Playstation Network accounts being compromised. Those attackers may also have been able to access the users' credit card details.

At that time, Sony did not notify customers until a week after it first detected the breach, resulting in a barrage of criticism from industry watchers and customers alike.

"I don't think any customer expects companies to be perfect, especially given the increasingly sophisticated nature of cyber attacks," said Lock. "What matters to customers is how companies respond."

His comments came just a day after the chief executive of identity assurance firm RSA Security, Art Coviello told delegates at his firm's European user conference that IT chiefs should accept security attacks as inevitable and focus on how to best secure their most valuable data.

"Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries go around them," he said.

In future, security teams would need to quickly recognise the first signs of a breach, "protect their information assets, isolate compromised elements of infrastructure and render attacks harmless," Coviello added.