Blumenthal Demands Answers from Sony Executives Following Additional Security Breach

(Washington, DC) – Senator Richard Blumenthal today continued to pressure Sony executives for answers following new reports that the company’s data breach included the compromising and theft of data from an additional 24.6 million Sony Online Entertainment accounts. Originally Sony had announced that a cyber-attack on their PlayStation accounts had resulted in 50-75 million accounts being compromised including the theft of identifying information like names, birth dates and financial information.

In today’s letter, Blumenthal renewed his calls for answers and called for financial resources to be made available to all clients.

“I am deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches or to provide adequate protections for users whose personal and financial information may have been compromised,” said Blumenthal in a letter to both the Chairman and President & CEO of Sony Computer Entertainment America. “Sony’s failure to adequately warn its customers about serious security risks is simply unconscionable and unacceptable … The company should do everything in its power to promote transparency and speed notification in order to protect its users against identity theft and financial fraud,” the letter continues.

After the first reports of a security breach, Blumenthal wrote to the President and CEO of Sony to demand answers over the company’s delay in notifying their clients of the data breach and to provide users with free access to financial data security services and financial insurance to mitigate the consequences of identity theft.

Last week Blumenthal requested that Attorney General Eric Holder begin an investigation by the Department of Justice into the illegal hacking of Sony accounts and to examine any potential wrongdoing by Sony.

The full text of the letter is below.

May 3, 2011

Mr. Kazuo Hazai
Chairman
Sony Computer Entertainment America
919 East Hillsdale Boulevard
Foster City, CA 94404

Mr. Jack Tretton
President and CEO
Sony Computer Entertainment America
919 East Hillsdale Boulevard
Foster City, CA 94404

Dear Mr. Hazai and Mr. Tretton:

            I am writing in the absence of a response to my letter of April 26 regarding the breach of Sony’s PlayStation Network service, and pursuant to today’s news of a breach of Sony’s Online Entertainment service. I am deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches or to provide adequate protections for users whose personal and financial information may have been compromised.

            As I previously wrote to you, “when a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised.” I am astonished by Sony’s failure to notify its customers in a timely manner about the breaches themselves, as well as to learn of the extent of the compromised data. Although Sony learned of the intrusion on its servers on April 19 and subsequently shut down its PlayStation Network, it did not begin sending email notification to users until a week later. Representatives of Sony have told my staff that this delay was due to Sony’s inability to send out more than 500,000 emails per hour, thus requiring several days to notify all of the affected users. If those technological limitations are true, today’s report that 24.6 million additional Sony customers may have been affected and will require notification is particularly troubling. I ask that additional steps be taken to expedite and speed notification.

            Sony’s failure to adequately warn its customers about serious security risks is simply unconscionable and unacceptable. If Sony’s email capacity is indeed limited to sending 500,000 emails per hour, email notification of all of Sony’s 77 million PlayStation Network users would take nearly a week to complete. It is therefore possible that some users are receiving an email telling them their personal and financial information may have been breached nearly two weeks after the breach occurred. It is inconceivable that Sony has not considered other options for timely notification. The company should do everything in its power to promote transparency and speed notification in order to protect its users against identity theft and financial fraud.

            Also confounding and unacceptable is Sony’s waiting until today to announce the breach of its Sony Online Entertainment service. Sony has claimed that this breach occurred at the same time as the breach of its PlayStation Network on April 19. If that is indeed the case, why did it take Sony until May 1 to discover this additional breach? Has Sony assessed the integrity of its other networks to determine whether any other breaches may have occurred?

I have asked Attorney General Eric Holder to investigate the criminal breach of Sony’s servers, as well as whether Sony’s subsequent handling of events in the wake of its breach gives rise to civil or criminal liability. I will be pursuing my request to the Attorney General at tomorrow’s Judiciary Committee hearing, at which he will be testifying.

Although Sony has not yet formally responded to my earlier letter, I would appreciate a direct and public answer detailing what the company will do in the future to protect its consumers against breaches of their personal and financial information. Sony should also clarify the number of credit card accounts that may have been compromised; news reports have indicated as many at 10 million cards on the PlayStation Network may have been affected, but Sony has indicated to my staff that the correct number is 9 million, and no information has yet been provided about how many numbers were compromised in this most recent breach. Finally, I would also appreciate a detailed timeline from Sony on this latest incident, outlining what the company knew about what was stolen and when it was known.

In my prior letter, I criticized Sony’s slow notification of PlayStation Network users and encouraged the company to provide two years of free credit reporting services and identity theft insurance to customers who were affected by the PlayStation Network breach. I also believe Sony should immediately notify Sony Online Entertainment service users, and extend these proposed protections to these victims as well. I appreciate your prompt response.

                                                            Sincerely,

                                                            /s/

                                                            Richard Blumenthal

                                                            United States Senate

# # #