Sony Suffers Hack Against BMG Greek Web Site

During the attack against Sony's BMG Greek Web site , first reported by the Hacker News Network, hackers broke into SonyMusic.gr and lifted sensitive information from the database housing records of more than 8,000 customers using the site. An anonymous hacker then uploaded the users' database, which contained users' names, e-mail addresses and usernames, to pastebin.com.

The hackers claimed that they omitted other personally identifying information, which included telephone numbers and users' passwords.

Chester Wisniewski, senior security adviser at Sophos, said in a blog post that the attack was executed via an SQL injection method , and likely relied on an automated exploit tool to detect the vulnerability in Sony's Web site.

Wisniewski said that it was likely that Sony would experience more attacks down the road, in light of the growing popularity to find vulnerabilities and launch attacks against the Sony platform.

"It is nearly impossible to run a totally secure Web presence, especially when you are the size of Sony," Wisniewski said. "As long as it is popular within the hacker community to expose Sony's flaws, we are likely to continue seeing successful attacks against them."

Wisniewski recommended that SonyMusic.gr users reset their passwords in order to protect themselves from identity theft, phishing and other malware attacks.

The hack is the latest in a series that Sony has suffered since the massive external hack against its customer databases in April that compromised more than 77 million customer records, forcing it to shut down its PlayStation Network and Qriosity services for more than three weeks.

Since then, Sony had been forced to shut down its PlayStation Network login and password reset pages to block another attack exploiting a serious security vulnerability in the way that the password reset form was implemented. The site contained a glitch that failed to properly verify tokens, which enabled hackers to launch attacks only by knowing users' date of birth and e-mail addresses in order to access their PlayStation Network accounts.

That breach came just days after Sony fully restored services on its PlayStation Network and Sony Online Entertainment videogame sites.

Following that attack, the Wall Street Journal reported that Sony's So-net Entertainment Corp, an Internet service provider subsidiary, suffered an attack in which hackers broke into its customer rewards site and stole customers' redeemable gift points, totaling about $1,225.

Security firm F-Secure also reported that hackers were running a phishing site on a Sony server hosting its Sony Thailand services.

Sony said Monday that financial losses from the PlayStation Network hack are expected to total $171 million, which exclude any damages paid as the result of lawsuits.

Meanwhile, security experts contend that financial ramifications of inadequate security often far outweigh the costs preventative security measures.

"The lesson I take away from this is similar to other stories we have published on data breaches," Wisniewski said. "It would cost far less to perform thorough penetration tests than to suffer the loss of trust, fines, disclosure costs and loss of reputation these incidents have resulted in."