Wednesday, April 27, 2011

SONY PlayStation network user credit card info hacked

 
The SONY admission that a hacker may have accessed all user info short of credit card 4-digit CSC's should lead to a class-action lawsuit in the USA.

Users should have had the option to use their hardware as the basis for a public-private key encryption of personal information.

The main reason not to do so is greed: SONY required access to pursue fraud and non-payment.  Let SONY now balance this against their present plight.

In all likelihood Oracle relational databases were used by SONY.  Storing strings in relational tables is easy for the developer and a joy for the hacker.  But what functionality could have required relational tables for the personal information of users? Well, it may have made things easier, faster and cheaper for the SONY info tech folks.  Manager gets bonus but users get ...

Sadly, the focus now is likely to be on network security.  And a Master appointed to advise a judge would likely come from the world in which Oracle DB tables are the norm for any and all data.

Access to data should have been on a process basis and no hacker should have been able to fork such a process: only such a process should have been able to convert that data into readable and usable information.

So ... had SONY used Erlang, would their customers be in this sad situation today?  And that is only one option from their asset stables.

Users will have a different view: regardless, of the technology in play, they should have been notified pronto.  Forget KISS, CRUD and ACID. The term of the day is PRONTO.

With any luck, the hacker was in for cred and not credit cards.  But SONY is a giant and this should be a sobering moment for corp IT that is public-facing.  And for users? Well, caveat emptor.  And then get a lawyer with a proven record in class actions.

No comments: