The suspension of 93,000 Playstation Network (PSN) accounts by Sony after a large number of unauthorised sign-in attempts could undo recent campaigns to win back customers and affect long-term confidence in the company, according to an Australian security analyst.
Sony chief information security officer, Philip Reitinger, issued a statement that said that less than one tenth of one percent (0.1 per cent) of its PSN and Sony Entertainment Network (SEN) audience may have been affected.
The suspension happened only months after the PSN network database was breached and an estimated 100 million online accounts were compromised.
Sony PSN has offered free game downloads to PSN users who logged back into the network and in August sent an email to account holders offering a free year-long trial of a range of CSIdentity's anti-fraud services including identity protection and fraud detection.
Security analyst and IBRS advisor, James Turner, said the latest attack was “not ideal timing”, as Sony is still in the process of encouraging PSN customers to log back in.
“It’s got to suck to be working in IT security at Sony right now,” he said. “They will have to do some serious thinking about what they do next and pull out all stops to start securing themselves intensively.”
Turner likened Sony to a shark attack victim, with more sharks, in the form of hackers, circling to take another bite. “Now that Sony has been compromised again, they run the risk of other script kiddies taking a crack at them, so it could incite further attacks,” he said.
According to Turner, the problem with the latest attack was that it had the potential to make consumers question the data integrity of not just Sony but other gaming console manufacturers such as Microsoft.
“Consumers will look at a trusted brand like Sony and think 'If they are getting hacked, who else can I trust?’,” he said. “It has the potential to impact on the wider [gaming] industry through straight loss of confidence.”
He added that the compromise may have been the result of a brute force attack.
“If the database with the user names was compromised, then they should have more successful logins if it was the actual password, unless the attacker had screwed up the database and had a script,” Turner said.
“So they had people trying to log in to all of these usernames and passwords and they got a lot of false ones but some of them worked,” he said. “Something was different about the ones that worked, which indicates it may have been a brute force attack.”
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU