Sony has notified 37,500 people due to the breach. The notification letter can be seen here.
Michael Lynton, the Chairman and Chief Executive Officer, and Amy Pascal, the Co-Chairman of Sony Pictures, issued the following statement today."The cybercrime wave that has affected Sony companies and a number of government agencies, businesses and individuals in recent months has hit Sony Pictures as well. Yesterday afternoon a group of criminal hackers known as "LulzSec" claimed to have breached some of our websites.
"We have confirmed that a breach has occurred and have taken action to protect against further intrusion. We also retained a respected team of experts to conduct the forensic analysis of the attack, which is ongoing.
"In addition, we have contacted the U.S. Federal Bureau of Investigation and are working with them to assist in the identification and apprehension of those responsible for this crime. We deeply regret and apologize for any inconvenience caused to consumers by this cybercrime."
Last week, LulzSec said that it was the beginning of the end for Sony. Their statement foreshadowed Thursday’s public release of nearly 140,000 records, just a sample of the data available after LulzSec compromised Sony Pictures. The breach was possible thanks to a single SQL Injection flaw within a promotional page for the movie Ghostbusters.
“We are looking into these claims,” said Jim Kennedy, EVP of Global Communications for Sony Pictures Entertainment, in an emailed statement to The Tech Herald.
The claims come from LulzSec, the group who recently compromised PBS after a negative Frontline story on WikiLeaks. As word of the PBS attack circulated in the media, LulzSec outright warned Sony something was up.
“Hey @Sony, you know we're making off with a bunch of your internal stuff right now and you haven't even noticed? Slow and steady, guys,” a May 31 Twitter post from the group noted.
Addressing the public on Thursday, LulzSec said that a single SQL Injection flaw led them to more than one million clear text passwords, 3.5 million “music coupon” codes, and 75,000 “music codes”.
“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed everything. Why do you put such faith in a company that allows itself to become open to these simple attacks,” the note from LulzSec said.
“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.”
The file with the most potential to cause damage is the database dump with 12,500 records, containing names, home addresses, phone numbers, email addresses, usernames, and passwords. In addition, a second file released by the group contains 21,000 email addresses and passwords, each one previously used in a sweepstakes.
“The take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur,” commented Sophos’ Chester Wisniewski.
“Companies collecting information from their customers have a duty to protect that information as well. In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.”
The link used to perform the SQL Injection attack on SonyPictures.com was unavailable at the time this story was written. We’ve asked Sony for additional information, and if they provide it we’ll update this story.