Sony PlayStation Network Breach
Established in 1955, Sony Company is today a household name. Sony was the first company to create an all-transistor radio. The company has a reputation for being very innovative. Most of the gadgets and electronics in use today were developed by this company. Sony Company is remembered for popular Sony-Tape, a magnet-coated recording tape. It is also known for making transistors, the first color Televisions sets, video cassette players, Walkman and the video camcorders. It is also known for making the HD video camera and recorders. Nowadays, Sony is an international company that sells its products all over the world. Despite these successes, the Sony Company suffered video game online network breach. This saw the theft of the company’s name, credit cards information and other crucial data including addresses and other information of about 77 million active users (Sony under attack, 2011). This made it, in fact, among the biggest internet security breaches ever witnessed.
Sony learnt that information of users had been stolen from the PlayStation Network about a week after the incidence. Following this event the company had to shut down the network immediately. Sony was discrete with the break-in, only informing the public after some time. The large electronics Company was confronted by the public for not having disclosed the information in time. It was also criticized for not handling the March earthquake nuclear crisis at the Tokyo Electric Power Company (Overview Security Breach, 2011). Unauthorized users getting into the Sony PlayStation Networks obtained addresses, names, email addresses, usernames, dates of births, passwords, security questions, login details ets. This shutdown prevented video owners from downloading or buying games developed by the company. What’s more, they could not even play with rivals on the internet. A research director, Alan Paller, said that the breach was largest identity theft ever witnessed. Therefore, the breach was a major setback for Sony. Video game software and hardware have been on the decline globally, but the PlayStation franchise has been on the steady rise and among the products that Sony Company relied on. Accounts of children created for them by their parents could also have been exposed to risk (McGee & Byington, 2013).
Although, there was no tangible evidence that credit cards were stolen, users were warned not to exclude that possibility. Sony advised users that their credit and security information may had been obtained by the hackers. Though, the analysts were quick to point out that whereas customers had been informed about the breach, it did not provide information on how the accounts may have been compromised. It was a huge data breach and loss of significant income for the Sony Company considering that the PlayStation service generates about $ 500 million annual revenue (Kolfal et al, 2013). Illegally obtained information may be used by the hackers to compromise the company. In response, the Sony Company hired a recognized security firm to investigate the issue. Security analysts blame the Sony for not having paid close attention to development of the software that runs the PlayStation Service. Sony has always been innovative. This could also have caused the breach in its data security. In rush for innovations companies do not take enough time to look into the product and software they are developing (Yang et al, 2011).
New software usually has errors in it, and it would have been proper to look into the issue of software security first. They might have exposed codes with errors to many people. This in itself was catastrophic. The hackers must have had access of system administrator’ PC network controls since it is only the Systems administrator who has access to sensitive information about the company. They might have sent the administrator an email that contained malicious software to corrupt the whole system. In the past, hackers have stolen information from large companies, but not on the scale it happened to Sony Company. In 2009, a man was pleaded guilty for stealing millions of card numbers after breaking into computer systems of companies like 7-Eleven and Target Companies (David, 2009). In a bid to combat the situation, Sony advised users that they report alerts on suspicious actions on their accounts through recognized credit card bureaus it recommended in a statement. It also reassured users that it would restore most of the services in a span of one week so that they went on with their activities after the breach. Sony also enlisted support of private investigators and other law enforcement agencies to get to the root of the issue (McGee & Byington, 2013). The Online PlayStation was launched in 2006. It offers music, games and movies to people who have PlayStation consoles. By the time of the attack, there were 77 million active users.
The lessons that Sony Company was able to learn was that it should be aware of the repercussion of quick innovations (Ip, 2008). It must ensure that its data security is well looked into. The software should be well tested before it is released into the market. This will avert future attacks and breaches. Te attackers were not arrested. However, it served as a warning to the Sony Company that hacking was real and it had to introduce measures that would ensure that data of customers was well protected. It had to do this, even if it meant investing huge amounts of money to safeguard the data of its esteemed customers. The management had to test its software before releasing it into the market. This would help to identify security gaps or inconsistencies that hackers and unauthorized people could use to access vital information of customers. It would also be important that Sony employs efficient system administrators to look into issues of data security. It should have a counter system that alerts users of any anomalies that they may detect in their accounts (Kolfal et al, 2013). As soon as they detect them, they can report to data security management staff for action. A huge responsibility will also rest on clients; they have to be wary of who they give their credit card and account information to. All these will work towards ensuring that information is in the right hands.
Located in the USA, Heartland Payment systems Inc. specializes in processing prepaid debit and credit cards. It also processes online checks and payments. Apart from these, it provides payroll services. It is the fifth largest company in the USA and is ranked at number nine in the world. Heartland Company announced that their computers were the ones they used to process payments and transactions- had been hacked into. The breach occurred in 2008. The data that was compromised included information necessary to process counterfeit credit cards and coded data on magnetic strips of credit cards. The MasterCard and Visa was able to discover the breach and duly inform Heartland of the suspicious transactions they had noticed. During investigation of the case, Heartland found suspicious spyware that the hackers had planted in their transaction and payment systems (Events unfold after Heartland breach, 2009). The spyware stole sizable amount of data for several months in 2008.
The breach was a slow event that progressed systematically, over the months of the attack. First, there was an injection of the SQL in the late 2007. This compromised the database. SQL injection slows down additional database commands to be coded in web scripts. The code that the hackers modified was in the login web page. The web page had been deployed some eight years earlier. However, this marked the first time the vulnerability was exposed. The hackers took eight months to get into the payment systems. This was because they had to be cautious to avoid being detected by the high-tech anti-virus systems that were used by Heartland Company (Kolfal et al, 2013). Eventually, the hackers installed a spyware known as “sniffer”. It could capture the data from as payment was being processed. Sniffer programs are used to monitor traffics of networks as payment is made. They are designed to analyze and solve problems. On the other hand, they can also be used to capture data for malicious purposes. In the case with Heartland, the sniffer made it possible for the hackers to access the data required to produce counterfeit cards, therefore, compromising the legitimate transactions of the cards holders and users. The consequences of this operation were too dear to the Heartland Inc. No longer were they compliant with PCI DSS (Payment Card Industry Data security Standard. The MasterCard and the Visa, credit card providers require validation of PCS DSS so that they can process payments. It was not until May, 2009 that their PCS DSS was revalidated (Christopher, 2009).
Around this time, Heartland announced a false proof security measure; it would make use of end-to-end encryption to protect its data. There was massive loss of revenue in the initial stages of the attack estimated over $ 145 million in compensations; the compensations were made for fraudulent payments. The total loss Heartland experienced was well over $ 200 million. The good news was that the hackers were eventually arrested. Albert Gonzalez and two Russian accomplices were charged for the breach. Gonzalez was thought to have masterminded international operations that stole debit and credit cards from a number of financial institutions. In 2010 he was sentenced to 20 years in jail. Just before the breach, Heartland processed over one million transactions in one month for an estimated 175, 000 merchants. Most of the transactions that Heartland deals in emanate from micro to midsized retailers. It is the bridge between POS (Point of Sale) and the card networks of the bank. The hackers could use the information they got to generate numerous fraudulent transactions. The Heartland breach presents the greatest breach in payment systems of the 21st century (Ronald, 2009). Over 130 million cards were exposed through the SQL injection attacks that were used to install the spyware on the data systems at Heartland.
Firstly, Heartland took responsibility for what had happened. The company identified the loopholes within its systems. They promoted solutions so that to prevent such attacks in the future. The system it used-the end-to-end encryption- was the best any company could use to protect their data and valuable information. Another important lesson is that companies must not be too sure of their security. They should update their security information and check their web pages for vulnerabilities. Some of the suggested software they can use includes the Hacker Guardian, invented by Comodo. It scans web pages for PCI compliance and malware daily which is essential for micro and sizable businesses. Businesses need to have systematic and layered approaches-malwares and firewalls-to scan connection points for networks. They should be on every computer sever and networks in use. The weakest links in the server should be the most guarded. Because hackers keep getting complicated by the day, businesses and managements should also work round the clock to install the best information security systems within their networks. Some systems may be aggressive, requiring closer attention. However, aggressive computer and network approaches are necessary to deal with threats and insecurity issues of the 21st century. Hackers are becoming more sophisticated in their ability to get crucial information about companies. They are able to invade corporate data networks. Hence, hacker attacks can be costly to the companies. For instance, Heartland lost over $ 200 million following the attack. What is more, the breach compromised millions of accounts of the loyal customers that Heartland had. Another lesson that can be learnt is that managers and people charged with communication at the companies should never conceal such issues. It is important that they divulge details of the attacks within the shortest time possible to restore confidence of the clientele (Joseph, 2009).
It is important that companies share details of such attacks. Sharing of information helps them to understand the nature of attacks and come up with collective or individual solutions to dealing with the menace. The fact that Heartland Company had passed many audits, yet it was still vulnerable, points to an unfolding scenario-the hackers are smarter, and take their time to achieve what they want. Finally, the most important lesson is that companies and businesses enact the best information protection systems or software that they know of. Encryption is the best solution to most data security issues. More focus should not just be laid on critical servers but also on every minute aspect of the systems of organization.
This case presented the biggest scandal in the USA and other parts of the world. It is estimated that bout 26 counties were affected. It was a show of brilliance and a high degree of cyber-skill exhibited by the well trained thieves. It was a network of intelligent thieves who stole over $ 45 million in cash from ATM machines across 26 countries (McGee & Byington, 2013). Some $ 2.8 million was stolen with ease from ATM machines in the New York. This was the biggest cash theft witnessed since the $ 5 million heist at the J. F. K Airport in 1978. Information was stolen from the databases of prepaid cards. These were then copied to plastic cards that had been restored using magnetic strips. The global theft was conducted on December, 2012. First $ 5 million were stolen on Dec, the 12th, then on the 19th and 20th of February, the thieves hit a jackpot, stealing in excess of $ 40 million in over 36, 0000 transactions within a span of 10 hours. The thieves stole from several ATM machines in Manhattan, withdrawing same amount of money during several transactions. The theft was executed with a lot of expertise. The thieves were able to rapidly drain cash from several ATM machines with an alarming speed. This exposed the difficulties that the authorities and banks face in dealing with crimes. It is difficult for financial institutions to protect their assets in this digital age (American Bankers Association, 2010).
The thieves did not use guns or masks; they used malware and laptops. A total of 8 suspects participated in the loot. The withdrawals took place across the globe as the suspects used fake cards, acting according well-coordinated and detailed plans. The gang of criminals that carried out the global heist has been known as “Virtual Criminal Flash mob”. The hackers got debit card data, removed withdrawal limits, established access codes and sent out operatives to withdraw money from numerous cities in the USA, Africa, Europe and Asia. The jobs they pulled are known as “unlimited operation” (Stickley et al., 2009). In a display of top-notch hacking of financial networks, the masterminds accessed unlimited cash when they use effective underlings. The hackers used complex computer tricks to attack two networks of credit card processors. These were the processors that handled prepaid debit card transactions. Employers generally use the cards to pay employees. Charity organizations can also use debit cards to disburse funds for assistance. The hackers can then load the accounts which enables them to access cash amounts they specify. In this case the hackers changed the virtual security protocols so that they hiked the amounts they could withdraw (McAndrews, 2009).
The brains behind the scheme were monitoring the operatives all the while through their secured computer networks. The operatives took their share and sent the rest of the loot to their bosses. These hackers used the money in buying expensive and luxury goods. The first target of the cyber attacks was Pre-paid MasterCard debit cards; the cards were issued by the Ras Al-Khaimah National Bank, situated in the United Arabs Emirates. The second of the attacks was carried out on computers of the Muscat Bank; situated in Oman. The operations were coordinated from a New York cell based in Yonkers. It coordinated the withdrawal of over $ 2.8 million from several banks in Brooklyn, Queens and Manhattan (Stickley et al., 2009).
Perhaps, what led to their arrest is the fact that the thieves let their guard down posing with expensive cars and Rolex watches. The supposed leader, Alberto Yusi Lajud-Pena, was found murdered in Dominican Republic. At the time of his death, he had an excess of $ 100,000 in his possession. The other suspects were Mejia Collado, 23; Luis Lara, 22; Pena Evan, 35; Familia Reyes, 24; Rodriguez Elvis, 24; Yeje Emir, 24 and Yu-Holguin, 24 (Stickley et al., 2009). All of them resided in Yonkers. In the New York, the group stole nearly $ 400,000 in over 700 transactions. In another attack that occurred in February, the crew stole $ 2.8 million from 3000 bank withdrawals during a 10-hoor spree. Personal bank accounts were not compromised, though. Some of the items the thieves purchased included expensive Rolex watches, a Mercedes Benz SUV and a Porsche Sedan. The criminals were tracked down and eventually arrested and indicted based on the evidence from the surveillance cameras. The footages showed their bags getting fuller at each stop. Investigative authorities refused to comment on the unfolding events, only saying that the hackers were not based in the USA (McAndrews, 2009).
It is important that banks and financial institutions use sophisticated technology to combat such heists. They should have advance systems that detect any suspicious activity in their banking systems (Britz, 2009). That the heists were carried out within shorter intervals is a pointer to banks that they should do more to secure safety. Again, it will be important that banks and financial institutions report these attacks to the investigative authorities, who will then carry out investigations and get to the root causes of such crimes. It is equally important for banks to constantly audit their systems and use the latest anti-spyware software. If these measures are followed, the attacks and breaches will be controlled. The most important lesson that banks can learn is to mitigate risks. In order for banking institutions to mitigate the risks, they should monitor their transactions and employ stringent restrictions on the amount on changes in account limits (Stickley, 2009). They should equally address risks that payment processors pose. The issue of third parties should also be discussed. Banking institutions should ensure that all the requisite controls are enacted within the banking and transaction systems. Another lesson is that the culprits of such heists should be tracked down and brought to book, at least to serve as a lesson to other prospective perpetrators.