Sony: data theft occurred while we were “distracted”
Sony has blamed internet vigilante group Anonymous for indirectly allowing a hacker to gain access to personal data of more than 100 million of its customers.
The accusation came in a letter to Congress and prompted renewed complaints that the Japanese electronics giant’s disclosure had been inadequate and tardy.
The company waited two days after first discovering data was stolen from its PlayStation video game network before contacting law enforcement, and didn’t meet with FBI officials until five days later.
Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them
“Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack,” Kazuo Hirai, chairman of the board of Sony Computer Entertainment America, said in a letter to the US Congress.
The theft prompted the US Justice Department and Federal Bureau of Investigation to open an investigation. “It is something we are taking extremely seriously,” said US Attorney General Eric Holder.
He said the Government is also probing the theft of reams of email addresses and names that Alliance Data Systems Corp’s Epsilon marketing unit discovered last month.
New York Attorney General Eric Schneiderman has subpoenaed Sony entities over the breaches. He subpoenaed Sony for conversations and documents that related to its security systems and any representations about those systems made to consumers, said a source familiar with the issue. A Schneiderman spokesman declined comment.
Wedbush Securities analyst Michael Pachter said Sony’s public disclosures have not been sufficient to quell customer concerns about the theft.
“Sony needs to make a statement to consumers: ‘You will not be harmed, and we will indemnify you against any harm,’ And they just have not done that in any of their apologies.”
Sony said that its video game network was breached at the same time it was defending itself against a major denial-of-service attack by a group calling itself Anonymous. A denial-of-service attacks makes a server or system unavailable by overwhelming its network with internet traffic.
Anonymous is the name of a grass-roots cyber group that in December launched attacks that temporarily shut down the sites of MasterCard and Visa using simple software tools available for free over the internet.
The group attacked the two credit-card companies with denial-of-service attacks that overwhelmed their servers for blocking payments to WikiLeaks.
Sony said that Anonymous targeted it several weeks ago using a denial-of-service attack in protest against Sony defending itself against a hacker in federal court in San Francisco.
The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial-of-service campaign, Sony said.
The company said it was not sure whether the organisers of the two attacks were working together.
Sony did say that its PC gaming unit, Sony Online Entertainment, discovered last Sunday a file planted on a server that was named “Anonymous” and had the words “We are legion,” in it. But the self-styled vigilantes denied involvement in the data theft.
They released a statement via YouTube last month saying that while the group’s organizers had not stolen the data, it was possible some members of the group were involved in the matter.
Members of Anonymous involved in the denial-of-service campaign may have decided to seize the opportunity to steal the data while Sony was distracted protecting its network, said Jeff Moss, chief security officer for the Internet Corporation for Assigned Names and Numbers (ICANN).
The company noticed unauthorised activity on its network on 19 April, and discovered that data had been transferred off the network the next day. It waited until 22 April to notify the FBI.
Sony chose to disclose the latest details of the attacks in a letter to the US House Energy and Commerce subcommittee on commerce, manufacturing and trade rather than testify in a hearing on cyberattacks that was held on Wednesday.
Lawmakers expressed disappointment that Sony and Epsilon declined to appear at the hearing and pledged a bill that would require companies to do a better job of safeguarding their customers’ data and to quickly disclose to customers when their data was lost.
Subcommittee chairwoman Mary Bono Mack noted with dismay that Sony first disclosed the breach on a blog. “Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them,” she said. “If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”