Thursday, May 05, 2011

Sony details PSN hack in letter to U.S. Congress

In a letter to the U.S. Congress posted to Flickr (right where we expect to find textual documents), Kazuo Hirai, Chairman of the Board of Sony Computer Entertainment America (SCEA), attempted to answer questions around the PlayStation Network (PSN) / Qriocity hack which prompted them to take the services offline about two weeks ago.

Among the details that were elaborated on in the letter to Congress, Sony said in a blog post, were:
  • Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
  • Sony discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.” [However, Anonymous has denied any involvement in the hack]
  • By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
  • As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack. [This is despite the reports of fraudulent charges circulating around the Web via end users]
  • Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
  • We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
Looking directly at the letter itself, other details emerge:
  • At least some information was stolen from all of its 77 million PSN accounts. However, Sony doesn't know how much or exactly what information was stolen from each account.
  • Sony had about 12.3 million credit card numbers were on file, but Sony still doesn't see any evidence that the hackers had tried to steal the account numbers. Sony says that credit card companies have reported no increase in fraud since the attack.
  • The hackers used "extremely sophisticated methods" to cover their tracks. That included deleting log files on the servers they accessed to hide their activity.
  • Although they made no mention of it in their initial blog posts, Sony said they will offer U.S. customers complimentary credit monitoring. They will also offering something similar in other parts of the globe, based on local laws.
Much of the criticism over Sony's reaction to the hack has been the amount of time it took to tell customers that some or all of their personal information had been accessed. In its letter to Congress, Sony said that it told the FBI about the attack on April 22, which four days before it gave details to the general public.

No comments: