Sony Stock Hammered in Wake of Security Breaches

Monday, June 06, 2011

Anthony M. Freed


Sony Corporation (SNEJF) has suffered two more network security events over the weekend.

The first is an attack by a Lebanese hacker known as "Idahc" who compromised a Sony Europe database exposing more than 120 account usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

"By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses," wrote Senior Security Advisor Chester Wisniewski in a blog post.

"All the data that the hacker seems to have copied was information already available on the company website," said company spokeswoman in a statement.

An update to Wisniewski's post indicates there was a second Sony network breach over the weekend, this time in Russia.

"In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony's infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: 'In Soviet Russia, SQL injects you...'" Wisniewski wrote.

The two new breaches are on top of several announced last week. The hacker collective LulzSec claims to have hacked Sony Pictures, Sony Entertainment, Sony BMG and compromised sensitive data for over one million customers, as well as gaining access to admin passwords, music "codes" and "coupons".

In late April the Sony breach saga began when the company announced that the PlayStation network servers had been hacked, exposing the records of more than 70 million customers. During the course of the investigation, Sony discovered that the company's Online Entertainment network had also been compromised, exposing another 25 million customer records.

Since then it has been all downhill for Sony corporation, with new security breach breach events being announced every few days. Security experts are beginning to speculate on whether the rash of data loss events at Sony could threaten the long-term health of what has notably been a stable company for decades.

"Hacking incidents, as we've seen, tend to have a short-term impact on a business and rarely impact the long-term viability of a large organization. What I suspect may happen here is an event or exfiltration of data so catastrophic that it may actually impact Sony's long-term viability and bottom line," wrote Hewlett Packard's Rafal Los.

"Even if Sony can swallow up the cost, a few things have been exposed including the fact that information security obviously wasn't taken seriously... as is indicative that just now the organization is hiring an information security manager," Los continued.

A company's stock price is determined by multiple factors too intricate to detail here, but in a nutshell one can consider that a company's market capitalization (worth) is determined two basic factors: A company's book value (all assets and revenues) and investor speculation on a company's future value (shareholder confidence).

The unrelenting security incidents plaguing Sony, compounded by the recent earthquake and Tsunami in Japan, has worked to undermined shareholder confidence in the entertainment giant, and the result is a steady decline in the company's share price.

"Sony has estimated the data breach will result in a $170m (£104m) hit to its operating profit. Pundits say the cost of reputational damage is likely to be much greater," wrote Computer Weekly's Warwick Ashford.

The six month Sony stock price history, displayed in below black in comparison to the Dow market index in red, shows a precipitous decline in share value following the series of network breaches:


The Sony case may in time become the first real-world example of how lone wolf attackers and hacktivist collectives have the power to bring a worldwide corporate powerhouse to its knees.

Successfully damaging a behemoth company like Sony in the long run will undoubtedly embolden the blossoming hacktivist movement and provide more than enough impetus for a dramatic escalation in politically and socially motivated attacks.

In the midst of a global economic slump and lackluster recovery, hacktivist attacks against public and private institutions could begin to have a significant impact on financial markets, further deepening an already lengthy recession.

Consumers are likely to become ever more wary of the risks that providing sensitive data to companies might entail, and the result may be seen in diminished revenues over time, further undermining investor confidence.

Diminished revenues and depressed share values would undoubtedly impact employment levels, and thus we have the makings of a vicious cycle that could ultimately have a detrimental affect on the global economy for significant period of time.

As many people are just beginning to learn - from the corporate board room to the average consumer on the street - information security lapses are far from localized events, and the consequences are inestimable.

Possibly Related Articles:
Enterprise Security
Economy Trust Financial Hacktivist Sony hackers stocks share price Investors
Post Rating I Like this!
Allan Pratt, MBA Hopefully, these recurring breaches will not cause people to be complacent - security prevention is a 24/7/365 job!
Mike Meikle If the C-Suite sails through this event without repercussion, it shows that Sony is not serious about the lapse. The Board should hold the executives accountable and begin cleaning house.

I take this position due to the fact that Sony had obviously (based on the response) ignored the security risks and decided to gamble with their data. Time for some new blood in the corner office and perhaps a bit more investment in training, risk management, communications and security infrastructure.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.