Page 2 of 2
Meanwhile, security experts contend that even if Sony had been employing standard security products such as a firewall and encryption, its security practices significantly missed the mark in adequately protecting its customer's information, and there was little ability to tell if they had passed compliance audits.
"There is abundant technology to prevent this breach and/or limit its scope, but Sony chose not to implement it," said Phil Lieberman, CEO of Lieberman Software, in an e-mail. "Putting this much data in a single database that is publicly extractable with no limits is shameful given what is available today to protect against this type of loss."
Lieberman added that compliance regulations such as PCI often lack any kind of real penalties or consequences for big companies that fall short of meeting the mandated security requirements.
"The loss of your personal information will most likely be nothing more than a 'cost of doing business' for this type of company—you will take the pain and they will take a hit to their reputation (maybe)," he said. "It is for this reason we are fundamentally opposed to hiding PCI results as well as SAS70 reports from the public. If you don’t' have access to the full internal security report of a vendor you are dealing with, you should expect that they have little to no real security and that your data will probably be compromised."