Page 2 of 2
Bletnitsky said that there was reason to believe that Sony also stored unencrypted credit card data, in light of the fact that the company appeared concerned about the possible breach of credit card numbers.
"That's a PCI violation. That means serious civil fines. This is a public company that does know better. It's not an "Oops, we didn't realize,'" he said.
Meanwhile, security experts also expressed consternation regarding Sony's belated disclosure and response following the breach.
“Sony’s initial delay and vagueness about the nature of their security breach gives hackers the opportunity to exploit that data and potentially mine more of their customers’ information," said Mandeep Khera, chief marketing officer for security company Cenzic, in an e-mail. "While we can understand that Sony had to get forensics done to find out how it happened, there’s no excuse for them to not inform the customers right away."
Bletnitsky said that Sony's due diligence should have included informing customers almost immediately after the breach was detected.
"I understand having a little bit of an investigation, but that usually doesn’t take a week, not for a company like Sony," he said. "This is something that they really should have jumped on faster. Seven days in this day and age is an eternity."