PlayStation Network security breach raises questions for SMEs

Small businesses have been warned to carefully watch their online databases containing crucial customer information such as credit card numbers and addresses, as Sony scrambles to identify the culprit of a major breach of its PlayStation network service that may have affected up to 70 million users.

The development comes just weeks after similar intrusions were targeted at cosmetics retailer Lush and even international security firm RSA, which produces cryptographic tokens. Both companies suffered breaches and in the case of Lush, customer data was accessed.

“Any business, small or large, can be vulnerable to these types of attacks,” AVG security specialist Lloyd Borrett says.

The latest attack has been directed at the Sony PlayStation network, the online services through which PlayStation customers can access services such as NetFlix, and connect to other customers to play multiplayer sessions of games – the service has about 70 million customers.

“We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorised intrusion into our network,” the company admits on an official blog.

While it says that the company cannot confirm whether credit card data was obtained, it admits the possibility cannot be ruled out.

Sony says that it is still investigating the intrusion, but the online hacker group Anonymous has been named by blogs and publications as being responsible, having vowed revenge against Sony earlier this month after the company took legal action against a hacker.

While an Anonymous blog claims the group did not attack the PlayStation network, various members have been known to work on their own when attacking websites and the group has previously vowed revenge.

Borrett says these types of attacks are growing increasingly popular, and small businesses need to know how to protect themselves.

“There are groups of people who decide they don’t like Visa, MasterCard and other companies, then go off running denial of service attacks.”

“They essentially ransom companies and say they won’t stop until they pay money, or stop doing something, or so on.”

Borrett says it doesn’t matter if a company is small or not – these types of groups will rally online allies, and attack a business digitally as the risk of being caught remains fairly low.

“There are people out there who know how to cover their tracks. You see in a number of the anonymous attacks that many know how to get away with it, although some have been caught. It’s possible to get away with it.”

But Borrett says despite the growing threat of online attacks, many businesses aren’t doing enough to secure themselves. “Businesses need to be mindful about security, because small businesses tend to be the least secure. One in seven don’t even have security in place, and only 50% have a clear security policy in place,” he says.

AVG has found that cyber criminals are accessing data through social networks and insider threats from employees, along with remote technologies being used by staff. If companies don’t have policies for these practices, he warns, then they should make them immediately.

“Be extremely wary. It’s not just about the technology you use, it might be about the policies you have in place about concentrating data and so on.”

Borrett says companies need to add security for company smartphones, including private smartphones used for work. He points out crucial customer data including credit card numbers needs to be encrypted, while AVG also warns multiple passwords need to be used for accessing the most sensitive data.

“It’s not just about technology, part of looking at your security needs to be about how your data is being used and who is accessing it as well.”

“Your small business might just be a couple of staff and co-workers, but absolutely everyone needs to be mindful about security because you do not know what can happen.”