During testimony at a Congressional hearing earlier today, Dr. Gene Spafford of Purdue University stated that Sony knew months ago that its software was outdated. Approximately three months before more than 100 million users had their information stolen by hackers, the company was informed by security experts that its version of Apache Web Server was seriously out of date. This version was unpatched and had no firewall protection of any kind.
Dr. Spafford spoke during a hearing with the House Subcommittee on Commerce, Manufacturing and Trade. Sony was also invited to attend but declined. In a letter to the committee, the company stated that it has now added “automated software monitoring and enhanced data security and encryption to its systems in the wake of the recent security breaches.”
Excuse me for pointing out the obvious, but Sony made these moves just a smidgen too late, don’t you think? Had it been actively monitoring its software all along, these colossal data breaches may never have occurred, and more than 100 million people wouldn’t have their information at risk. Any company – especially one that deals with credit card numbers and identifying personal information – has a duty to its customers to protect them by making sure that its Web site and service is as secure as could possibly be.
I cannot help but be outraged by this. I was not (thank the Lord) a PlayStation Network member. However, it doesn’t take much to set me off when a company is so obviously negligent. Heck yes, it has taken steps to correct the problem. Too bad that it’s not nearly enough to make up for the lack of security to begin with.
It’s bad enough that Sony never knew its software was outdated – or chose to ignore the fact. It’s far worse that it was told in a public place on more than one occasion by educated consumers and continued to do nothing. Was the company hoping to save money by not purchasing new software? If so, I think it’s safe to say that particular choice just bit it in the butt in a very large way.