The creation of a CISO post, which will report to Sony Chief Information Office Shinji Hasejima, was one of several measures Sony said it was taking to prevent a similar breach from occurring again. Those measures, outlined by Sony over the weekend, include:
- Added automated software monitoring and configuration management to help defend against new attacks.
- Improved levels of data protection and encryption.
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
- Implementation of additional firewalls .
Sony, in a statement Monday, said engineers and security consultants reviewing company systems discovered that personal information from 24.6 million additional customer accounts may have been stolen. The information included customers name, addresses, e-mail addresses, birthdates, gender, phone numbers, login names and hashed passwords. Other pilfered information came from a 2007 database that may have been included about 12,700 non-U.S. credit or debit card numbers and expiration dates, but not credit card security codes, and about 10,700 direct debit records of certain customers in Austria, Germany, Netherlands and Spain that included bank account numbers, customer names, account names, and customer addresses also were taken.
Last week, Sony reported the information of 77 million customer accounts were exposed between April 17 and 19. That means personal information of more than 100 million customer accounts has been exposed.
Patrick Seybold, Sony senior director of corporate communications and social media, said in a blog Monday that passwords Sony stored were not encrypted, but were transformed using a cryptographic hash function. "There is a difference between these two types of security measures, which is why we said the passwords had not been encrypted," he wrote. "But I want to be very clear that the passwords were not stored in our database in cleartext (non-protected) form."
Seybold also denied reports that hackers approached Sony to buy back millions of credit-card numbers allegedly pilfered in the digital assault. "To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list," he said.
DHS Monday said it's working with Sony through Homeland Security's U.S.-CERT unit to gain a better understand of what caused the breach that exposed personally identifiable information including names, addresses, passwords and, possibly, credit card information.
"The Department of Homeland Security is aware of the recent cyberintrusion to Sony's Playstation Network and Qriocity music service," DHS spokeswoman Amy Kudwa said. "DHS's United States Computer Emergency Readiness Team is working with law enforcement, international partners and Sony to assess the situation."
Kudwa didn't provide any further details.
U.S.-CERT coordinates responses to security threats from the Internet. U.S. CERT works with software makers to create patches for security vulnerabilities.
Sony said Sunday it would shortly begin a phased restoration by region of PlayStation Network and Qriocity services, beginning with gaming, music and video services to be turned on.
The PlayStation and Qriocity breach has caught the attention of CISOs who don't work for companies that run consumer networks. Intel CISO Malcolm Harkins said the Sony breach reminds CISOs in all sectors that such incidents can't be avoided, but their risks can be managed (see Why CISOs Must Care About Sony Breach). "How you manage risk, how to mitigate the risk to the extent that you live with some level of potential comprise because it will occur," Harkins said.