Second LulzSec hacker sentenced
Another member of the hacking collective has been sentenced for his involvement in the 2011 Sony Pictures Entertainment breach.
A second member of the notorious hacking collective LulzSec has been sentenced for his involvement in the 2011 Sony Pictures Entertainment breach.
In total, the breach compromised the personal information of 77 million people.
LulzSec is known for its association with hacktivist group Anonymous, which has made its name through hacks and distributed denial-of-service attacks against government, religious, and corporate Web sites.
In a statement, the FBI said Raynaldo Riviera, aka "neuron", was sentenced to a year and a day in federal prison. In addition, Riviera was ordered to serve 13 months of home detention, perform 1 000 hours of community service, and pay $605 663 in restitution. He was arrested in August 2012, and pleaded guilty in October that year.
In April this year, Riviera's co-conspirator, Cody Kretsinger, who went by the name "recursion", received an identical sentence.
Court documents revealed LulzSec hacked Sony Pictures to see the "raw, uninterrupted, chaotic thrill of entertainment and anarchy". In addition, it said it wanted to be entertained by what "equally evil people" will do with the stolen information.
LulzSec said at the time, that Sony was "owned" by a SQL injection, a "primitive and common" vulnerability. It said from that single injection, it accessed everything.
The hacking collective was quoted as saying: "Why do you put such faith in a company that allows itself to become open to these simple attacks?"
The two employed a SQL injection attack against Sony's Web site to obtain confidential information. They then distributed the stolen information - including names, addresses, phone numbers and e-mails of Sony customers - on the Web.
The Electronic Crimes Task Force, in Los Angeles, conducted the investigation, and is made up of agents and officers from the FBI, the US Secret Service, the LAPD and other law enforcement agencies.
Timeline of the breach
19 April 2011: Sony discovers its PlayStation Network and Qriocity networks have been compromised.
20 April: Sony closes down the two networks.
21 April: Sony says it is investigating the cause of the outage.
22 April: Sony admits to a breach, and says it has turned off PlayStation and Qriocity to conduct a thorough investigation.
25 April: Sony says a "thorough investigation" is under way, but it has not yet determined whether its users' personal information or credit card numbers have been compromised.
26 April: Sony says billing addresses, user names, passwords and possibly credit card info belonging to its PlayStation Network Customers have been stolen.
27 April: Sony shares fall 2%, ending trading in Tokyo at 2 366 yen, down 49 yen. In addition, in the US, a class-action lawsuit is filed.
28 April: Sony shares drop 4.5% to end the week at 2 260 yen. A database of 2.2 million Sony customer credit cards is offered for sale on an underground Internet forum.
29 April: A US Congressional committee asks Sony Computer Entertainment for answers on several issues surrounding the leak of customer information.
1 May: Sony executives apologise and announce plans to bring the two networks back online in stages, adding that online gaming services will return later in the week with full service resumed by mid-May.
2 May: The breach extends to Sony Online Entertainment.
5 May: A review of the breach reveals it was larger than initially suspected, and that hackers may have taken personal information from an additional 25 million user accounts.
6 May: Sony indicates some credit card numbers were compromised.
7 May: Sony discovers hackers have placed customer information online, and removes the information.
17 May: Hackers begin changing user passwords by using PSN account e-mails and dates of birth within two days of the partial restoration of the PlayStation Network. Sony shuts down the PlayStation Network again.
6 June: Sony fully restores all PlayStation Network services besides Japan. The PlayStation Store and Qriocity divisions are now functioning properly.
21 July: One of Sony's insurers sues to deny releasing data breach coverage funds to Sony. Sony says it expects the breach to lower operating profit by $178 million in the current financial year. Fifty-five class action complaints have now been filed.
19 October: A federal judge clears Sony of negligence, unjust enrichment, bailment, and violations of California consumer protection statutes.