Sony's security was not updated and the PlayStation Network had little firewall protection, according to the testimony of a cybersecurity expert before Congress.
Speaking to the House Energy & Commerce Committee, Eugene Spafford, the executive director of the Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), said the problem at Sony was that the PlayStation Network it was using an older version of the Apache Web server software. He said the problem was reported on an open forum.
Spafford added that Sony employees knew about the problem for two months before it came to light as a result of the data breach.
Sony detected the hacking attack on April 19. But some data was stolen two to three days before that, from the Sony Entertainment Online network.
Spafford noted that when investigators detect a data breach, they sometimes have to figure out when the vulnerability left their systems open, because the vulnerability isn't noticed until someone exploits it.
The Privacy Rights Clearinghouse keeps a database of known data breaches. The organization notes that there are dozens of data security breaches every year and 100 million records are exposed on average. Spafford noted that with 100 million records from Sony being released it might even depress the price of credit card records.
While some might bash Sony, Pablo Martinez, Deputy Special Agent in Charge of the Criminal Investigative Division at the U.S. Secret Service, told the committee that Sony is hardly alone. The vast majority of attacks on databases were not highly difficult.
A Sony spokesperson did not respond to a request for comment.