Sony Ericsson's Canadian Online Store Hacked, Customer Details Stolen

Sony Ericsson has confirmed that its Canadian digital download platform, the "eShop," has been compromised. 2,000 users are affected, according to statements from a company spokesperson speaking to the AFP.

The new security breach follows a massive theft of personal data from Sony's PlayStation Network and Sony Online Entertainment services, including names, passwords and addresses from more than 100 million accounts in early April 2011.

"Sony Ericsson's website in Canada, which advertises its products, has been hacked, affecting 2,000 people," Sony Corp. Spokesman, Atsuo Omagari told AFP. "Their personal information was posted on a website called 'The Hacker News'. The information includes registered names, email addresses and encrypted passwords. But it does not include credit card information."

The link to the Sony Ericsson eShop site featured a message that said "D'oh! The page you are looking for has gone walkabout. Sorry." Sony Ericsson has, for now, disabled this website from their services. According to them, it's a standalone website not currently connected to the company's servers in any major way. To add an extra layer of security, Sony has shut down the Canadian branch of the Sony Ericsson eShop page, which currently gives a 404 error upon trying to open it.

There have been no reports of damage from the security breach. After the incident, visitors to ca.eshop.sonyericsson.com, which sells Sony Ericsson cell phones and accessories, were informed that the site was down. Others were diverted to the company's U.K.-based e-commerce site to make purchases instead. An investigation was under way, and other details were not immediately available.

The apparent culprit of the hack is a self-described "Lebanese grey-hat hacker" named "Idahc". Unlike the other attacks, Idahc was able to compromise both Sony Canada's online store and customer database, though both he and Sony claim that credit card information was not touched.

He did, however, post nearly 1,000 of the records he accessed online and a file containing some of that data was put on The Hacker News, a site that tracks cyber attacks. Included with the file was a message from Idahc himself: "I hacked the database of ca.eshop.sonyericsson.com with a simple sql injection (LOL). Hackers vs. Sony. We are the winners."

Other Sony sites falling to hackers recently include the Sony Music site in Greece, in which 8,500 user account details had been compromised; Sony's Thailand website which was found to contain a phishing website; and Sony's Indonesia website. It seems an SQL injection was used in each case. The series of breaches has damaged Sony's brand image and undermined its efforts to link its gadgets to an online "cloud-based" network of games, movies and music that relies on consumer confidence in their security.

The number of cyber attacks is only going to increase if organizations and companies, even big companies like Sony Corp., fail to pay attention on the vulnerabilities of their network security. One proven way to mitigate information security risks is through technical security training that will enhance the skills proficiency of the cyber security workforce. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of technically proficient information security professionals.

Additionally, the all-new EC-Council CAST Summit series is also created to make advanced information security training opportunities available for information security professionals across the globe. It will be the excellent platform for any IT security professionals to acquire cutting edge skills by embarking on the CAST workshops, or further enhance their IT security knowledge by attending the one-day seminar.

The 3 days CAST Summit workshop covering current and important security topics such as penetration testing, application security, cryptography, network defense and mobile forensics training, and allows for participants to actually learn, and not just listen or be rushed through a short presentation like how it's like in many other events or conference. All of these IT security trainings will only conducted by appointed EC-Council Master Trainers, some of whom are authors of the respective trainings.