So, Sony got hacked. Again. According to LulzSec, the collective who hacked internal Sony networks and websites, they compromised over 1 million accounts, including admin details and passwords, along with 75,000 "music codes" and 3.5 million "music coupons".
What caught my attention in the LulzSec statement was the following:
“What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it. This is disgraceful and insecure: they were asking for it.”
Thales has written often in the past about the importance of complementing perimeter firewalls and other defence with protection inside the perimeter. Now here is a hacker who is saying pretty much the same thing. But hackers never stand still. Data protection needs to be data centric. Sensitive data should be encrypted at the point it enters a system using techniques that ensure the encryption key used can only be used subsequently to decrypt data for legitimate business transactions and data volumes. Protecting the key and using a key policy that enforces its use by legitimate applications only and ensuring it cannot be [ab]used to decrypt large blocks of data is the most effective way to do this.