Sony, Sony, Sony. This ought to add yet another level to the PR nightmare that’s become the PlayStation Network breach.
In a House Energy and Commerce Committee hearing yesterday, Gene Spafford, a professor at Purdue University and executive director of the school’s Center for Education and Research in Information Assurance and Security—the largest of its kind in the country—said the following about the recent breach of Sony’s PlayStation Network:
“[I]ndividuals who work in security and participate in the Sony network had discovered several months ago while they were examining the protocols on the Sony network to examine how the games work, [that] the network game servers were hosted on Apache web servers—that’s a form of software.
But they were running on very old versions of Apache software that were unpatched and had no firewall installed, and so these were potentially vulnerable.
And they had reported these in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software. That was two to three months prior to the incident where the break-ins occurred.”
Spafford’s above quote was in response to a question asked of him by one of the committee members regarding a document he provided as testimony (see here – PDF file) wherein he wrote, “Sony was running software that was badly out of date, and had been warned about that risk.”
The disturbing aspect of all this is that if Sony was publicly warned in an open forum about the holes in its system, that same information would have been available to anyone who’d want to potentially break into such a system. You’d think that such a warning would have become a high priority for Sony.
If you check out the above video starting at around the 54-minute mark, you can watch Spafford’s testimony. The PDF document is a decent read, too. Its basic premise is that as consumers, it’s troubling that we really don’t know much about which companies have our personal information—Spafford alludes to the recent Epsilon breach as an example—yet we should be able to expect that our personal information is reasonably safe.
More on TIME.com: