Sony Pictures falls victim to major data breach

Hacking group LulzSec claims it has accessed personal data on more than 1 million people

LulzSec, a hacking group that recently made news for hacking into PBS, claimed today that it has broken into several Sony Pictures websites and accessed unencrypted personal information on over 1 million people.

In a statement released Thursday, the group claimed that it had also managed to compromise all "admin details," including administrator passwords, as well as 75,000 "music codes" and 3.5 million "music coupons" from Sony networks and websites.

The group has publicly posted a full list of compromised sites, along with links to documents containing samples of what it claimed was material stolen from Sony.

The compromised databases included one that appeared to contain information belonging to people who participated in a promotional campaign involving Sony Pictures and, as well as another involving a Sony-sponsored Summer of Restless Beauty campaign.

Also compromised in the break-in, according to LulzSec, was a Sony music codes database, a music coupons database, and databases from Sony BMG Belgium & Netherlands.

The compromised databases contained "varied assortments of Sony user and staffer information," the group said.

" was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec said. "From a single injection, we accessed EVERYTHING."

"What's worse is that every bit of data we took wasn't encrypted," the group claims. "Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it."

LulzSec said that it had copied and published only a relatively small sample of the information it had managed to access because it did not have the resources to download everything. The group said that in theory it could have "taken every last bit of information," but that would have taken weeks.

The group posted a link to the SQL injection vulnerability it had exploited and invited anyone to verify it personally. "You may even want to plunder those 3.5 million coupons while you can."

In response to a request for comment, a Sony spokeswoman said the company would send a statement by email to Computerworld, but has not yet done so.

If the breach is as extensive as LulzSec has claimed, it would be the second major compromise that Sony has suffered since mid-April, when intruders broke into its PlayStation Network and Sony Online Entertainment networks.

Those breaches resulted in the compromise of personal data belonging to nearly 100 million account holders.

Since then, there have been a series of intrusions at various Sony websites around the world.

The attacks, such as the one carried out against Sony Pictures by LulzSec, have been designed largely to embarrass Sony, which has sparked the wrath of many hackers for its hard line stance over copyright and IP protection.

The continuing attacks have become a huge issue for the company. Sony was forced to shut down its PlayStation Network and Sony Online Entertainment networks for several days to fix issues resulting from those intrusions. Even now the networks are still limping back to normal.

So far, Sony has hired at least three external security firms to help patch its networks. It also recently hired a new chief information security officer to help coordinate its security efforts. With the company's websites having been routinely broken into, despite such measures, many wonder just how porous Sony's networks are.

Sony itself characterized the PlayStation Network and Sony Online Entertainment intrusions as highly targeted and sophisticated cyberattacks. However, all of the publicly disclosed ones since then appear to have been the result of some fundamental security oversights on the part of the company.

Several of the attacks have resulted from SQL injection flaws that hackers have claimed were extremely easy to find and to exploit.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

Read more about network security in Computerworld's Network Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityfirewallsdata securitysecuritysonydata protection

More about BMG Lab TechING AustraliaSonyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts