SUNY Old Westbury Capital One & PSN Hacking Attacks Discussion Replies


In your responses to your peers:

  • Further expand on the claims of the original poster, and those who already responded.
  • Then explain why it is difficult to conduct a quantitative risk assessment (RA) for an IT infrastructure.


in 2011 a group of black hat hackers who called themselves lulzsect hacked and released the personal information of thousands of PlayStation customers. Information included credit card numbers, addresses, email addresses, and corresponding names. This was a huge nightmare for gamers who had trusted playstation with their personal data, caused Sony millions in damages.

The hackers; who were very pompous and arrogant about their exploits, going as far as to brag about them on their own group twitter account. In it they exploited that hacking Sony had been very easy as Sony had been storing personal data without any sort of encryption of personal security keys or passwords. They had not used any sort of password hashing, scrambling, or encryption to hide users personal data. Peoples username and password combinations were just sitting there in plain text. 

It is very obvious that Sony had never anticipated the possibility of something on such a large scale happening, it can only be attributed to total insubordination and arrogance why no security measures for peoples data was taken. It basic data security to provide some sort of encryption for this type of information. 


For this weeks discussion on the topic of risk assessment I have chosen to research the Capital One breaches, where many customers data, including social security numbers, bank account information and more was stolen by hackers who had been able to compromise the security of Capital One banks. This breach had a multinational impact as it revealed the information of millions of Americans and Canadians alike. 

While Capital One claims that this breach was solely due to the hacker’s expertise and skill to extract this amount of data, there was clearly a lack of security protocols being followed for this to occur. For this particular case, I believe that a qualitative risk assessment would have been useful to prevent this event from occurring. While quantitative risk assessments are excellent at what they do, there aren’t specific data points to look at when trying to predict the likelihood of a hack, this kind of risk requires a review regarding the quality of security currently implemented within the company. 

In response Capital One’s CIO appeared to have controlled the situation as best they could and assured the media that this kind of breach will not be happening again as they have identified the kind of security failure within their systems and will adjust it accordingly. Their attitude towards the situation did seem appropriate but I do believe that there was some sort of improper risk evaluation of how risk assessment should be handled within the security department of Capital One. The company would greatly benefit from more qualitative risk assessments going forward, as this kind of security flaw would put up big red flags for anyone conducting this kind of assessment.