Sony: The Company That Kicked the Hornet's Nest

There's an Internet phenomenon called the Streisand Effect. It happens when a person or company tries to suppress a piece of information and, in so doing, unintentionally popularizes it. It bears the name of Barbra Streisand because of her unsuccessful 2003 lawsuit attempting to remove photographs of her Malibu home from the Web—which of course had people flocking to the site that hosted the pictures.

In the future, a blowback in the realm of cybersecurity might be known as the Sony Effect. The Japanese conglomerate is still dealing with the fallout from an April hacking incident that targeted its PlayStation and Sony Online Entertainment networks, which some 100 million people use to play video games, watch movies, and listen to music online. The attack resulted in the second-largest data breach in U.S. history, exposing records including credit-card numbers and forcing Sony (SNE) to pull the plug on the networks indefinitely. (Sony hopes to have them back online by the end of May.) A full accounting of the disaster, both in dollar terms and in damage to the PlayStation brand, will take months, if not years.

Sony may have unintentionally brought the crisis on itself. While other tech companies have worked to establish an uneasy truce with hackers, Sony has antagonized them with lawsuits and prosecutions. At the same time, security experts say Sony essentially left the keys in the car, failing to adequately protect or even monitor crucial parts of its server infrastructure. "They appeared to be operating in an environment where no one had really assessed the risks," says Eugene H. Spafford, a computer science professor at Purdue University who testified during a congressional hearing on the Sony hack on May 4.

The impetus for the attack may have come at the beginning of this year, after a spat between Sony and a 21-year-old hacker named George "GeoHot" Hotz. He's legendary in hacker circles for "unlocking" the first-generation iPhone when he was 17, finding a way past Apple's (AAPL) security layers and opening up the device for use with any cellular carrier. Last year, Hotz discovered how to "mod" the PlayStation console, allowing it to run "homebrew" games made by amateurs and other unsanctioned software. Hotz published his technique in an online diary; Sony sued for him to take it down. A federal court ordered the seizure of his computers and Twitter and PayPal account records on Jan. 28. "Trying to sue a member in good standing out of existence didn't do them any favors," says Dave Aitel, a so-called white-hat hacker who helps companies recognize security vulnerabilities. Anonymous, the amorphous hacker collective that brought down the websites of MasterCard (MA) and other payments processors in December, vowed to retaliate.

The Hotz incident was followed in February by a German police raid on the apartment of Alexander Egorenkov, another hacker who had distributed software that let PlayStation consoles run homemade games. Other technology companies have found ways to channel hackers' energy without resorting to lawsuits. Microsoft (MSFT), for instance, permits hackers to unlock its Kinect gaming device and invites some of them to its conferences. Google (GOOG) pays white-hat hackers who help identify bugs. Sony is far more uncompromising, says Robert Vamosi, a senior analyst at security firm Mocana. "Hardware manufacturers like Sony just aren't very good about listening when a security researcher presents them with a flaw," Vamosi says.

Sony settled its case against Hotz on Mar. 31, when he agreed to take down the PlayStation hacking information. By that point, someone was already testing Sony's network for weaknesses. Bret McDanel, a veteran security researcher, says a program known as penetration testing software, which methodically checks a network for vulnerabilities, began scanning Sony's PlayStation Network at 7:09 a.m. on Mar. 3. McDanel knows this because Sony left one of its server logs, which record all the activity performed by a machine, completely unguarded on the open Web. "Having these logs in the public domain gives a potential attacker insight into the system," he says.

McDanel says the probers used an off-the-shelf program that is easy to obtain and not very stealthy. Anyone checking the server logs would have been able to recognize its telltale signs and prevent the break-in, and Sony was "negligent" for not doing so, he says. On Apr. 15, after six weeks of scanning, the penetration software suddenly stopped, most likely because "they found what they had been looking for, a vulnerability in the network," says McDanel. Four days later, Sony noticed the first signs of a break-in. A company spokesman says Sony was the victim of "a highly sophisticated attack" and that the company's network "had multiple security measures in place."

No one has taken credit for the attack, though Sony executives told Congress that they found a file left by the hackers that reads "We are legion"—the motto of Anonymous. Whoever the culprit may be, Sony now has good reason to familiarize itself with the mechanics of the Streisand Effect. After all, it owns Streisand's label.

The bottom line: Security experts say Sony should have recognized the warning signs of an impending attack, which compromised 100 million accounts.

    Before it's here, it's on the Bloomberg Terminal.