Does Sony Actually Have a Clue?

“Sony suffers second data breach with theft of 25m more user details.” Actually, (according to the Guardian) this was their first loss – the Sony Online Entertainment (SOE) network was hacked on 16 & 17 April, while the PlayStation Network (PSN) was hacked between 17 & 19 April. Sony discovered the second hack first, didn’t think that the hackers had taken anything other than the initial 77 million records and then discovered that, actually, the hackers had already made off with 25 million other records. 102 million records – each with a value to hackers for whom identity theft is the new, wild opportunity – and, two weeks after the hack, Sony said: “on May 1, we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.”

Two weeks is not really as soon as possible, Sony, is it? Two weeks after the event is more than enough time for these records to have been used maliciously. A tried and tested incident response procedure – which combines forensic investigation with rapid client communication in the event of a breach – should be part of any organisation’s information security management system. Perhaps Sony should get itself an ISMS?