Slashdot Mirror
Lawsuit Claims Sony Canned Security Staff Just Before Data Breach
Stoobalou writes "A lawsuit filed this week suggests that Sony sacked a group of employees from its network security division just two weeks before the company's servers were hacked and its customers' credit card details were leaked. The suit, which seeks class action status, is being brought by victims of the massive data breach that took place in April."
Service Unavailable Guru Meditation: XID: 1643227444 Varnish cache server
to the internet
Fixes my ability to view Slashdot articles.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Or too late
Like 2 weeks was enough to cause the massive problems Sony had. Hah.
No, more like, Sony found out they were incompetent and was firing them for that. Too little too late, obviously.
And what should have Sony done, when they realized they weren't secure? Shut down their entire business for months until they could hopefully secure things?
I'm not pulling 'months' from nowhere, either. Sony's Japanese PSN is still down while they secure it because the government won't let them bring it back up.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
So, their termination was clearly justified as they failed to do their jobs properly.
'This network is like Swiss cheese. You're fired!' Two weeks later; pwned.
It's not like they were in the middle of implementing a new security schema when they were let go. I'm pretty sure the fail of Sony to protect customer information occurred months before this.
Since when does being a Socialist mean 'someone who has a different opinion than me'?
"They weren't doing their jobs so we fired them. Why do you think the intrusion happened in the first place?"
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
maybe someone left the door open when they left?
"is being brought by victims" should read "is being brought by lawyers"
Those responsible for the sacking have also been sacked.
Don't you get sick of morons who don't know shit getting paid 100k a year to stick their thumb up their butt because they "graduated with honors". "Honors" doesn't make you geek, it just makes you a piece of shit who submissively follows orders.
not unthinkable.
So, are they mad that people who weren't doing their job at a high level were let go or are they implying that these people opened holes when they left?
If you have security staff and you get hacked that badly, it's probably their fault on way or another.
And none of them hacked in to change the PowerPoint for shareholders to porn?
They must have not learned from our article earlier this week...
Anyone else thinking these guys may have had something to do with the hack themselves?
... is to suspect that if you fire someone in IT Security and your organization is hacked 2 weeks later... hmmm, who would be your first suspect?
I8-D
Were they all canned as a corporate profit/cost saving measure or because they were complaining about problems/security flaws and their upper management didn't want to hear about it? Or maybe they were all incompetent?
That's what really makes the difference in this case.
But then again, he couldn't read anyway.
Sometimes the light at the end of the tunnel is the headlight of an oncoming train.
I could honestly care less why they sacked them. I just want something out of SONY. For the PS3 storing open text negligence, for taking away a feature I paid for (Linux- Other OS) and not giving a rats ass about me, for the Rootkit they put on my system with no real punishment, for the liars that lobbied the Bluray to win over the far superior technology that was HDDVD, for well, "EVERYTHING SONY". For the rootkit alone, their senior staff should have been criminally prosecuted. If I was to put a rootkit on a SONY Server by giving an employee a cd to listen to at work, I'd certainly be in jail. The best part- I went to GTPlanet (for the Gran Turismo Game, GT5) after this and the dam Fanboi mentality of today is every post I saw that complained or said anything remotely bad was shut down by 100 posts saying Sony is such a great company for trying to rebuild everything and that it is so great they are looking out by telling everyone about it..blah blah blah I've had enough- Boycott these thieving asshats. I want my $0.99 from the Class Action Suit. It's almost as good as a company changing the law like Verizon and ATT with their "Unlimited" Plans that are actually 5GB or less.... Truth in advertising? But I digress... I only mention them because they are also tops up there on the list with Sony of companies that do what they please and colude but yet give lots of $$ to lobby their cause to a corrupt (or rather incompetent) judicial system.
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
I can't see a bunch of disgruntled ex-employees creating this entire security breach in two weeks.
I _can_ see a bunch of losers getting fired for not doing their jobs.
But I can also _totally_ see a bunch of disgruntled ex-employees, after being forced to work for ages with a broken security system which they did not themselves build, "accidentally" letting slip some inside info about that system's existing vulverabilities in the weeks after being fired. "Yeah? You don't reckon you need security staff? Lets just see if thats right..."
The relevant question here isn't when they were sacked, or how many were sacked, but why they were sacked. The article doesn't really answer the question that matters. :^(
I've worked at SONY, though not in the security group. To do anything, there were at least 10 meetings to "decide to do something" followed by another 20 meetings to decide "WHAT" to do. Often, the WHAT wouldn't be possible, because the doers weren't invited.
SONY can spend lots and lots of money on things they believe will make them money and $0 on stuff that doesn't ... like security.
Where I worked was filled with IBM-Japan running AIX systems. Half of these people were really sharp and the other half, well, not so much. I never met or heard anything about the Data Security team, but that wasn't my role while I was there, so it isn't surprising.
SONY wasn't much different from any other large company that hadn't needed to worry about security previously. I bet going forward SONY will make a security review part of every project going forward. It will be a checklist item that leads to 15 other checklists.
Pick any other consumer company, perhaps Emerson or Westinghouse. Do you think they have much real data security either?
So the Supreme court says a class action lawsuit of 1.2 million people was essentially too big to proceed for one large company, what are the odds that Sony pushes this one also to the Supremes to get it also summarily denied?
Granted, from the cheap seats, Sony's problem seems a little more concrete than the Walmart class action lawsuit, but... I'm thinking perhaps that Sony could argue that they had all the mandated protections they needed, and, well, $hit just happens sometimes, so why should we be getting sued for it?
Can't live with them, and when you finally get rid of them, what follows is worse.
On a related note, why not trial-fire all these stupid managers and see what happens?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
But I feel it's appropriate to say hahahahahahaha.
If there was a lesson to be learned I feel it was probably lost amongst all the inevitable finger pointing and 'covering of ass' and other machinations. But don't worry, the appropriate tech staff not involved in the decision were reprimanded for not picking up the slack left but the involuntary departure of the security team.
Rest assured, no management was harmed in the production of this stupidity.
My ism, it's full of beliefs.
Do you also blame poorly paid policemen for crime?
I do believe Sony was negligent in its handling of sensitive customer information, though this is probably more common than we'd like to think. The vast majority of these exploits were found with an off-the-shell point-and-click vulnerability finder. That one website should fall to this sort of thing is a shame, when 20+ do over the span of a few weeks, its another matter entirely. Sony could have prevented many of these simply by running the exact same publicly named tool themselves after the first 2-3 incidents. That more Sony websites continue to be breached daily by the same method is simply inexcusable.
All of that said, these security holes didn't just magically appear after these people were fired, they were there for months if not years. If these people were not competent enough to find such trivial exploits, then they really didn't deserve to keep their jobs and having them on staff after the attacks began likely would not have improved the situation.
Remember the "root kit"? Not to mention numerous other infractions committed by this company against its customers. I vowed long ago that not one dollar of mine would go into the pockets of this anti-competitive, anti-customer company and have kept that vow. Hopefully, more people will look more closely at the policies of this company and use their dollars to show if they support, or condemn this company.
As I wrote to SOE support about the everquest2.com service and characters profiles being outdated and bugged, they replied straight it was due to the service having no staff to fix anything. I thing this tell much about the state of lays-offs and ability to secure or update services. The everquest2.com website identify users using station SOE logins.
Here is the reply the gave:
Subject: Bugged character profiles [Incident: 110619-000022]
Response Via Email (TSR Steven G.) 06/23/2011 09:15 AM
Greetings leagris,
Thank you for contacting Sony Online Entertainment. Unfortunately, since the EQ2 players site was converted to a free service, there is not a team set to maintain/update the site. We have no ETA when or if a team will be added to maintain/update the site. We are sorry for the inconvenience that this may cause. If you have further questions, feel free to contact us.
Regards,
CSR Steven G.
Léa Gris