Blumenthal Calls for DOJ Investigation of Sony Playstation Data Breach

(Hartford, CT) – Senator Richard Blumenthal (D-CT) today called for the Department of Justice to investigate all aspects of the Sony PlayStation Network data breach, sending Attorney General Eric Holder a letter urging DOJ “to immediately open an investigation to track down and hold accountable those who have stolen sensitive personal information, and to examine any potential wrongdoing in Sony’s response to this matter.”

“Any individual hacking into the PlayStation Network online and stealing personal information would appear to be criminally liable. It is vital that we aggressively investigate these hackers and hold them accountable,” wrote Blumenthal in the letter. “I am especially concerned about Sony’s failure to promptly notify its customers about the breach and what data may have been compromised… This week-long delay in disclosing a possible breach of financial information is unacceptable, and left consumers highly vulnerable and primarily reliant on the varied quality of whatever anti-fraud protections may be provided by their banks or credit card providers. Any investigation of this matter should include a thorough inquiry into whether Sony’s handling of events in the wake of its security breach gives rise to civil or criminal liability.”

The Sony PlayStation Network breach occurred sometime between April 17 – 19, 2011, potentially compromising sensitive personal and financial information of 50 to 75 million users. Blumenthal wrote the President and CEO of Sony Computer Entertainment America earlier this week demanding answers over the company’s then-failure to notify millions of customers of the data breach. He called for Sony to provide PlayStation Network users with financial data security services, including free access to credit reporting services for two years, the costs of which should be borne by the company. Additionally, he argued that affected individuals should be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

The text of the letter follows:

 

April 28, 2011

The Honorable Eric Holder
Attorney General
U.S. Department of Justice
950 Pennsylvania Avenue, NW
Washington, DC 20530

Dear Attorney General Holder:

I write regarding a major breach of digital consumer information held by Sony Computer Entertainment America (“Sony”), to urge you to immediately open an investigation to track down and hold accountable those who have stolen sensitive personal information, and to examine any potential wrongdoing in Sony’s response to this matter.

According to an email sent late last night by Sony to its PlayStation Network customers, “between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network.” This attack may have compromised the personal and financial information of around 70 million users.

Sony has indicated that “an unauthorized person has obtained” information from user accounts, including name, address, country, email address, birthdate, PlayStation Network/Qriocity password and login information, and handle/PSN online IDs. Sony has also indicated that “profile data” including “purchase history and billing address” may have been obtained, as well as “PlayStation Network/Qriocity password security answers.” Furthermore, the company has noted that minors may also have had their personal information stolen and that it “cannot rule out the possibility” that credit card information has also been stolen.

The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, criminalizes unauthorized access and use of computers and computer networks. Under the law, anyone who accesses a protected computer, without authorization, can be prosecuted.[1] A “protected computer” includes one “which is used in or affecting interstate foreign commerce or communication.”[2] The Justice Department has taken the position that “it is enough that the computer is connected to the Internet; the statute does not require proof that the defendant also used the Internet to access the computer or used the computer to access the internet.”[3] Thus, any individual hacking into the PlayStation Network online and stealing personal information would appear to be criminally liable. It is vital that we aggressively investigate these hackers and hold them accountable.

Furthermore, I am especially concerned about Sony’s failure to promptly notify its customers about the breach and what data may have been compromised. Although Sony rightly disabled its PlayStation Network soon after learning of the breach, it waited two days before announcing that its network was down due to an “external intrusion” – and this announcement was simply posted on the PlayStation blog. I am troubled that Sony waited four more days before announcing on its blog that the external intrusion may have resulted in users’ personal and financial information being compromised, and waited one additional day before making any affirmative effort to contact its users and inform them of the breach and possible third-party access to their personal and financial information.

Consumers who do not read Sony’s blog or news reports on the security breach therefore only learned of their vulnerability last night, when Sony emailed its customers. This week-long delay in disclosing a possible breach of financial information is unacceptable, and left consumers highly vulnerable and primarily reliant on the varied quality of whatever anti-fraud protections may be provided by their banks or credit card providers. Any investigation of this matter should include a thorough inquiry into whether Sony’s handling of events in the wake of its security breach gives rise to civil or criminal liability. If it does not, I would welcome comments from the Justice Department regarding how the law can be updated to best hold companies accountable for inadequate protection of personal consumer information, and inadequate notification when breaches occur.

Thank you for your attention to this important issue and for your continued work on behalf of the American public.

Sincerely,

/s/

Richard Blumenthal
United States Senate

# # #