Cybersecurity expert and industry icon Dr. Gene Spafford of Purdue University dropped a bomb on the Sony Corporation in testimony before the Congressional Subcommittee on Commerce, Manufacturing, and Trade on Wednesday.
Dr. Spafford asserted that Sony was running outdated and obsolete software on the PlayStation and Online Entertainment Networks, leaving the systems extremely vulnerable to the kind of attack that subsequently led to the breach of over 100 million customer records.
Spafford testified that security experts learned months ago that Sony was still using older versions of the Apache Web server software after the fact was disclosed on industry Internet discussion forums.
According to an article in ConsumerReports, the discussions centered around concerns that Sony's networks were "unpatched and had no firewall installed."
Spafford stated that the vulnerabilities were "reported in an open forum monitored by Sony employees" several months prior to the attack against the company's systems.
"If Dr. Spafford's assessment is accurate, it's inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed," said Jeff Fox, Consumer Reports Technology Editor.
If Sony was aware of the vulnerabilities, but failed to act accordingly in an effort to mitigate the risk, it could present significant problems as the company gears up to face lawsuits brought by affected customers.
In late April, Sony announced that the PlayStation Network was the subject of a breach that compromised the records of as many as 70 million customers.
After several days of investigation, Sony announced that the intruders may have accessed private customer information including login credentials, billing information, and credit card details.
About a week later, Sony announced that the the company's Online Entertainment division was also the target of hackers in April, adding another 25 million exposed records to the breach event.
A lawsuit was filed in U.S. District Court almost immediately after Sony announced the attack had led to the disclosure of confidential data, and the suit seeks class action status on behalf of all U.S. customers.
Another lawsuit has been filed in Canada that also seeks class action status and damages of over one billion dollars for the more than one million Canadian customers impacted by the data breach.