PlayStation Network Security Breach Criticized by House Subcommittee

UPDATE: Sony said it believes it has identified how breach occurred but not who is responsible.

As Sony revealed new details about the assault on its PlayStation Network, the chairman of the House Subcommittee on Commerce, Manufacturing and Trade on Wednesday criticized the company's response as "half-baked" and said the incident has the potential to become "the Great Brinks Robbery of cyber attacks."

Sony's PlayStation and Qriocity online services have been down since April 20 after an unauthorized person hacked into the accounts of an estimated 77 million users, gaining access to names, addresses and possibly credit card information. Information from Sony Online Entertainment also was taken, meaning that an additional 24.6 million users might also have been compromised.

In an eight-page letter from Sony Computer Entertainment America chairman Kazuo Hirai to the House subcommittee, which held a hearing on data theft on Wednesday, Sony said it believes it has identified how the breach occurred but not who is responsible. Company executives chose not to attend the hearing.

STORY: Sony Warns PlayStation Network User Account Information Was Compromised

Sony revealed that Sunday, it discovered that a file named "Anonymous" had been planted on a Sony Online Entertainment server with the words "We are Legion."

The letter related: "Just weeks before, Sony had been the target of a large-scale coordinated denial of service attack by the group called Anonymous. The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the U.S. District Court in San Francisco against a hacker."

The group Anonymous has denied responsibility for the PlayStation hack.

During the hearing, subcommittee chairman Mary Bono Mack, R-Calif., said she would introduce data security and data breach notification legislation ensuring that consumers are promptly informed when their personal information has been compromised.

"For me, the single most important question is simply this: Why weren't Sony's customers notified sooner of the cyber attack?" she said. "In Sony's case, company officials first revealed information about the data breach on their blog. ... Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."

Bono Mack noted that cyber attacks are on the rise, with more than 30 in the past month alone. In addition to Sony, e-mail marketing firm Epsilon lost control of millions of consumers' names and e-mail addresses last month. Execs from Epsilon also were invited to testify at the hearing but did not appear. Bono Mack criticized Sony and Epsilon for not appearing in person at the hearing.

The congresswoman acknowledged that both Sony and Epsilon are victims but added, "They also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits 'enter.'"

Sony noted that the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of the attack.

Hirai wrote that Sony "immediately hired a highly regarded information technology security firm" and that the criminal activity was "neither immediately nor easily ascertainable." He said Sony "released information to its customers when we and those experts believed that information was sufficiently confirmed."

A earlier post on the PlayStation blog said: "In addition to alerting the media and posting information about it on this blog, we have also been sending e-mails directly to all 77 million registered accounts."

Sony outlined new security measures, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new chief information security officer.
Sony also said it plans to offer complimentary identity theft protection services and a "welcome back" program to customers.

An estimated 9 million Americans fall victim to identity theft every year, costing consumers and businesses billions annually.

Sony's latest blog post, which includes a link to a copy of its letter to the House Subcommittee, can be found here.

Congresswoman Bono Mayo's prepared remarks from Wednesday's hearing can be found here.