Sony Gives Details on Massive Data Theft to Congress
As Sony continues to determine the severity and scope of a recent cyberattack that saw personal information for over 100 million customer accounts stolen, Congress is demanding answers.
After declining a request by the House Subcommittee on Commerce, Manufacturing and Trade to attend a hearing today on online data theft (including how Sony handled the security breach), the company has released a letter from Kazuo Hirai, chairman of the board of Sony Computer Entertainment America, to the committee.
In the eight-page dispatch, Hirai lays out a timeline of the attacks and tackles criticism that Sony was slow to alert consumers that their personal information had been compromised.
"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes," he wrote.
To date, Hirai says the company has not identified the individual or group behind the attack, but did note that Sony had found a file planted on the server of Sony Online Entertainment named "Anonymous". (SOE announced Tuesday that it discovered hackers had accessed and stolen information from 25 million accounts.)
"I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers ... (but Sony) was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions..."
"When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file named 'Anonymous' on one of those servers, a file containing the statement 'We are Legion'," he wrote.
Anonymous, a rogue group of hackers whose membership ebbs and flows, has famously launched attacks on both Gene Simmons and Hustler Magazine. The group managed to disrupt Sony's web servers with a Distributed Denial of Service (DDoS) attack in April. Anonymous attackers, using software known as “Low Orbit Ion Cannons,” repeatedly pinged the company's servers. When done simultaneously by enough users, this can bring the site down — usually quickly and without warning.
Sony says the data intrusion occurred on or around the same time as this attack — but was not detected because it was a very sophisticated hack that exploited a system software vulnerability and the company's security teams were distracted trying to defend against the DDoS attack.
"Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," wrote Hirai. "In any case, those who participated in the denial of service attacks should understand that — whether they knew it or not — they were aiding in a well planned, well executed, large-scale theft."
Anonymous has denied responsibility for the incident.
Hirai tells the committee that Sony now believes it has identified how the breach occurred, but said he was reluctant to make the details publicly available because of the ongoing criminal investigation — The FBI, along with three private security companies, is helping Sony determine the scope of the attack and to find the person or people responsible.
The company cannot yet rule out the possibility that credit card information was accessed, but says current evidence leads it to believe the 12.3 million credit cards it had on file, including 5.6 million from the U.S., remain secure.
"As of today, the major credit card companies have not reported that they have seen any increase in the number of fraudulent credit card transactions as a result of the attack, and they have not reported to us any fraudulent transactions that they believe are a direct result of the intrusions," wrote Hirai.
As for the delay in informing customers about the breach, Hirai says Sony has "tried to err on the side of safety and security" and did not want to release any information until it had confirmed it.
"I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers," he wrote. "I hope you can appreciate the extraordinary nature of the events the company was facing ... Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence."