Sony has released their response to the 13 questions asked by the US House of Representatives today addressing the massive data breach. Millions of American consumers’ data was compromised when the PlayStation Network was hacked and in their response, Sony hinted that Anonymous may have have been involved. Sony’s CEO, Kazuo Hirai, submitted six pages worth of answers to the House of Representatives’ questions and has subsequently shared them with the public.
Here’s a quick summary of Hirai’s letter:
- Sony has been the victim of a very carefully planned, professional, highly sophisticated criminal cyber attack.
- They discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
- By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, they notified customers of those facts.
- As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
- Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cyber crime and cyber terrorism.
- Sony is taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
Going through Hirai’s letter, he does mention a slew of interesting things. “I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers. I hope you can appreciate the extraordinary nature of the events the company was facing – brought on by a criminal hacker whose activity was neither immediately nor easily ascertainable. I believe that after you review all the facts you will agree that the company has been acting in good faith to release reliable information in accordance with its legal and ethical responsibilities to its valued customers.”
The most interesting part of their statement was that Sony found a file planted in the servers titled Anonymous with the words “We Are Legion.” This new development contradicts Anonymous’ previous statement released on April 22 titled “For Once We Didn’t Do It.” The statement addressed the PSN Outage; they said, “While it could be the case that other Anons have acted by themselves AnonOps was not related to this incident and takes no responsibility for it. A more likely explanation is that Sony is taking advantage of Anonymous’ previous ill-will towards the company to distract users from the fact the outage is actually an internal problem with the companies servers.” It’s still unclear if Anon is behind the attack, even though Sony is clearly placing the blame on them.
On Page 4 of the letter, Hirai goes in to great depth on exactly what happened when the attack was initiated. “The team took until the afternoon of April 22, 2011, to complete the mirroring of nine of the 10 servers that were suspected of being compromised. By the evening of April 21, 2011, the forensic teams were able to confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside the servers.” He goes on to explain what the hacker(s) did and that when they realized the extent of the initial damage they hired a second forensic team.
According to Sony, they have four key principles that they’ve been working under throughout this whole PSN Outage debacle:
1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.
However, from another quote from Hirai’s letter, it took them an extremely long time to get the FBI involved with the incident. “The forensic experts that Sony Network Entertainment America had retained had not determined the scope or effect of the intrusion at the time the FBI was contacted. A meeting was set up to provide details to law enforcement for Wednesday, April 27.” As the PSN went down on April 20, that means it took eight days before Sony could get the FBI involved.
Sony also told the committee about their Welcome Back initiative and their other plans for the PlayStation Network. They also said in a statement, “We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly.”