As you may have heard, Congress has quite a few questions for Sony after the whole PSN debacle which compromised sensitive information for all its 77 million users. To show how serious they really are the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers.” Some folks will argue that the government should be focused on more important things like rising gas prices, creating jobs and most in the short-term raising the debt ceiling but I think that this is a worthy cause nonetheless. You can read the details below but Sony didn’t really tell Congress anything you haven’t read here several times already. Of the information revealed, the biggest tidbit was that Sony discovered a file on of their SOE servers named “Anonymous” with the words “We are Legion”. For their part, Anonymous has said that they are not behind this and if they aren’t someone is going a long way to set them up.
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we they experienced that took down the companies’ PlayStation Network for what has been almost two weeks now.
In summary, Sony says that they told the subcommittee that in dealing with this cyber attack they followed four key principles:
1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.
They also informed the subcommittee of the following:
- Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
- We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
- By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
- As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
- Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
- We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.