The problems keep coming for Sony. On Tuesday the company confirmed that someone had hacked into its Web site and stolen about 2,000 customer names and e-mail addresses.
Close to 1,000 of the records have already been posted online by a hacker calling himself Idahc, who says he’s a “Lebanese grey-hat hacker.” Idahc found a common Web programming error, called an SQL injection flaw, that allowed him to dig up the records on the Canadian version of the Official Sony Ericsson eShop, an online store for mobile phones and accessories.
The hacker got access to records for about 2,000 customers, including their names and e-mail addresses and a hashed version of users’ passwords, said Ivette Lopez Sisniega, a Sony Ericsson Mobile Communications spokeswoman. “Sony Ericsson has disabled this e-commerce website,” she said in an e-mail message. “We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers.”
Other than the names and e-mail addresses, no personal or banking information was compromised, she said.
Idahc disputed that claim, saying in a Twitter message that he also obtained addresses, phone numbers and information on discount coupons.
Sony Ericsson is a mobile-phone company run jointly by Sony and Ericsson.
Sony has been under continual cyber-attack since April, when its PlayStation Network was hacked and then pulled offline. Over the past week Sony BMG Japan, Sony BMG Greece, the Sony-run So-net Internet service provider, and a company server in Thailand all have been compromised, in what’s becoming a free-for-all online attack on anything belonging to Sony.
Earlier this year Sony raised the hackles of hackers by suing George Hotz, a well-respected hacking enthusiast, who’d found a way to break Sony’s controls and install Linux on his PlayStation 3. Sony eventually settled with Hotz, but to many it came off as a bully in the affair.
Now, increasingly, Sony looks like a company where security was merely an afterthought.
Earlier this week, Sony said the attacks will cost it at least $170 million.
Sony’s continued problems reflect a cavalier attitude toward computer security, said Scott Borg, CEO of the U.S. Cyber Consequences Unit, a Washington-based think tank that studies cyber-attacks. “It’s a pretty obvious conclusion that they weren’t managing their security well,” he said.
Gregory Wellman, one of Idahc’s victims, gave Sony Ericsson his information when he bought a LiveView accessory for his Android phone on the site last month.
Already a victim of last month’s breach at Epsilon Interactive, he said he has a “low trust in online forms” and gave Sony a secondary e-mail address that he reserves for Web forms.
Wellman, the CIO with Toronto-based network support company Technocosm, said that while he’s not happy to have his e-mail address and name stolen and published, the incident could have been worse. He had these words for Sony Ericsson: “Well, you guys were idiots for making it happen. At the same time, I hope it never happens to me.”
Anybody can make a Web programming error, no matter what company they work for, he said. “I don’t care if it’s Sony or AT&T. These guys are only as good as the guy who [wrote] the code.”