Mark Dalby

Sony Corp. Chairman and President Howard Stringer on Tuesday apologized for the security breach in April that allowed hackers access to the personal data of over 100 million of its online customers.

At an annual shareholders’ meeting in Tokyo, Stringer apologized for the worry and inconvenience to shareholders, customers and others caused by the hacking of Sony databases.

Stringer said the company had strengthened its information management measures by partnering with outside data security firms. Seeking to explain Sony’s third straight annual net loss in fiscal 2010, Stringer argued the company had performed better than expected until the Great East Japan Earthquake struck in March.

A new class-action lawsuit filed against Sony in the wake of the massive PlayStation Network/Qriocity breach alleges that the company protected its proprietary information but failed to properly safeguard data related to its customers.

The suit (PDF), filed on behalf of plaintiffs Paul Geller, Stuart Davidson and Mark Dearman, who were among the 77 million victims of the breach, claims Sony failed in a number of areas to adequately prevent the incident.

Among the allegations, citing “confidential witnesses cooperating in this investigation,” are that Sony failed to install a permanent firewall on the PlayStation Network and that it knew its security was weak because it had experienced “smaller” hacks prior to the big one.

A lawsuit filed this week suggests that Sony sacked a bunch of employees from its network security division just two weeks before the company’s servers were hacked and its customers’ credit card details leaked.

The suit, which seeks class action status, is being brought by Felix Cortorreal, Jimmy Cortorreal, and Jacques Daoud Jr.  – all victims of the massive data breach that took place in April – “on behalf of themselves and all other similarly situated.”

According to copies of the court documents obtained by thinq_, the trio accuse Sony of a failure to adequately protect customer data. “According to information provided by industry experts and confidential informants,” the papers claim, “Sony knew that its inadequate security systems placed it at increased risk for the attack, which directly and proximately caused the theft of its Customers’ Personal Information and a month-long interruption of the PlayStation and SPE Networks.”

Sony Pictures France is the latest Sony Web site to suffer at the hands of hackers. This time two hackers have claimed credit and say they copied more than 177,000 e-mails from the site.

The two hackers are identified as a Lebanese student called “Idahc” and “Auth3ntiq,” a friend of his from France. They claim to have exploited a SQL flaw to get the information. Idahc and Auth3ntic posted information about their feat, along with a sample of the e-mails they took, to the Web site Pastebin.com.

The hackers aren’t doing anything new. The same sort of exploit was used to break into SonyPictures.com, Sony Pictures Russion and other Sony-owned sites in recent weeks. In fact, Idahc seems to be on a crusade to teach Sony a lesson about bad security.

People often ask what exactly Sony Corp. (6758) did to convince hackers groups like LulzSec and Anonymous to hack the company 19 times so far.  An answer may lie in cases like that of Alexander Egorenkov.

Mr. Egorenkov, a young German and associate of the team of German hardware hackers fail0verflow helped people jailbreak the PlayStation 3 by authoring the “Hypervisor Bible” [torrent] a guide to Sony’s PS3 software protection layer.  Mr. Egorenkov, who goes by “graf_chokolo” online, says his goal was simply to allow people to make full use of the hardware they legally bought.

Sony initially encouraged Linux (OtherOS) installs on PS3s, but with the launch of the PS3 Slim killed the support and issued patches that blocked existing machines from utilizing the newly disallowed Linux.

The same Lebanese hacker who targeted Sony Europe on Friday has now dumped a database from Sony Portugal.

The hacker claims to be a grey hat, not a black hat, according to his post to pastebin.com.

“I am not a black hat to dump all the database I am Grey hat”

Instead of dumping the entire database like many previous Sony attackers, idahc only dumped the email addresses from one table in Sony’s database.

He claims to have discovered three different flaws on SonyMusic.pt, including SQL injection, XSS (cross-site scripting) and iFrame injection.

By my count, this is the 16th attack against Sony since the chaos came raining down on them in mid-April.

There were two other breaches on Monday by LulzSec, but I simply couldn’t bring myself to write about more Sony hacks. LulzSec compromised the Sony Computer Entertainment devnet and downloaded the source code for SCE’s entire website, which they posted on BitTorrent.