Sony Breach Shows Amazon Cloud’s Hacker Appeal


For three pennies an hour, hackers can rent
Inc. (AMZN)
’s servers to wage cyber attacks such as the one that crippled Sony
Corp. (6758)
’s PlayStation Network and led to the second-largest online
data breach in U.S. history.

A hacker used Amazon’s Elastic Computer Cloud, or EC2,
service to attack Sony’s online entertainment systems last month, a person with
knowledge of the matter said May 13. The intruder, who used a bogus name to set
up an account that’s now disabled, didn’t hack into Amazon’s servers, the
person said.

The incident helps illustrate the dilemma facing Chief
Executive Officer Jeff Bezos:
Amazon’s cloud-computing service is as cheap and convenient for hackers as it
is for customers ranging from Netflix
Inc. (NFLX)
to Eli Lilly & Co. (LLY) Last month’s attack on Sony
compromised more than 100 million customer accounts, the largest data breach in
the U.S. since intruders stole credit and debit card numbers from Heartland
Payment Systems in 2009.

“Anyone can go get an Amazon account and use it
anonymously,” said Pete Malcolm, chief executive officer of Abiquo Inc., a Redwood City,
California-based company that helps customers manage data internally and
through cloud computing. “If they have computers in their back bedroom they are
much easier to trace than if they are on Amazon’s Web Services.”

Network Resumption

Sony on May 14 partially restarted its PlayStation Network
and Qriocity services, which had been shut since April 20 because of the
intrusion. The company has hired three security firms to investigate and is working
with the law enforcement officials. Sony has faced a backlash from regulators
and customers over the time it took to warn customers that their data may have
been stolen.

Drew Herdener, a spokesman for Seattle-based Amazon, the
world’s largest online retailer, declined to comment. Amazon didn’t respond to
a request to speak with Bezos. Patrick Seybold, a U.S. spokesman for
Tokyo-based Sony, declined to comment beyond public statements made on the

The Federal
Bureau of Investigation
will likely subpoena Amazon or seek a search
warrant to access the history of transactions, trace who had access to the
specific Internet address at the time and get details on payment data, said
E.J. Hilbert, president of the security company Online Intelligence and a
former FBI cyber-crime investigator.