Sony incident - yet more

Gene Spafford has told a congressional hearing that, months before the incident, Sony knew it was running old and unpatched software on its web servers ... implying that they were negligent in not patching or updating to address known security vulnerabilities. 

It's not quite so cut-n-dried in practice however as patching/updating production services is itself a risky business (not least because the patched/updated software may have yet more security vulnerabilities). Sony evidently had other/compensating controls in place, since they at least detected the latest breach through their network security monitoring.

Unfortunately, this happened too late to stop the hacker/s extracting personal information probably including credit card numbers.