(Hartford, CT) –Senator Richard Blumenthal (D-CT) today commended Sony Network Entertainment America (SNEA) for responding to his request to provide both information and protection to the customers who may be affected by the massive PlayStation Network and Sony Online Entertainment data breaches.
According to the company, Sony has agreed to provide one year of free credit monitoring service to users, as well as a $1 million insurance policy if they become victims of identity theft.
“I welcome Sony’s strong first step toward protecting millions of consumers whose personal and financial information has been compromised,” said Blumenthal. “While I continue to believe that Sony should have warned users earlier, I am pleased they are providing protective measures including an insurance policy to cover identity theft harms to consumers within a twelve-month window – but I would hope Sony would extend coverage over a longer time on a case-by-case basis if necessary.”
“Sony’s response to preventing similar attacks in the future could serve as a model for other companies facing similar criminal hacking,” Blumenthal continued. “The crime perpetrated on Sony and PlayStation Network users is part of a larger troubling trend of cybercrime, and a reminder that our laws and data security resources must keep pace with advancing technology. I look forward to working with Sony and others in the future to determine the best way forward, and continue to urge the Justice Department to pursue the criminals who attacked Sony’s information system.”
Blumenthal had previously written the President and CEO of Sony Computer Entertainment America, as well as the Chairman, demanding answers over the company’s then-failure to notify millions of customers of the data breach, and subsequently requested that the Department of Justice undertake an investigation to track down and hold accountable the hackers who stole sensitive personal information, and to examine any potential wrongdoing in Sony’s response to the breach.
Blumenthal also called for Sony to provide PlayStation Network users with financial data security services, including free access to credit reporting services for two years, the costs of which should be borne by the company. Additionally, he argued that affected individuals should be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.
The first breach occurred sometime between April 17 – 19, 2011, potentially compromising sensitive personal and financial information of as many as 77 million users. A second breach was then discovered on May 2, potentially compromising up to 25 million more users.
Sony’s response letter is below.
May 5, 2011
The Honorable Richard Blumenthal
The United States Senate
702 Hart Senate Office Building
Washington DC 20510
Dear Senator Blumenthal:
I am writing in response to your letters dated April 26, 2011 and May 3, 2011. I regret not responding to you sooner but I assure you that my attention and the attention of my colleagues literally around the world has been keenly focused on remedying the harm caused by the large scale criminal cyber-attack perpetrated upon Sony and its customers. I welcome your questions and hope that Sony can be helpful in crafting a public policy solution that reduces the chances that cyber-attacks such as this occur in the future.
With respect to your specific questions, please understand that the PlayStation Network is an extremely complex system that consists of approximately 130 servers, 50 software programs and 77 million registered accounts. To determine what meaningful information we could tell consumers about the attack on that network required a thorough investigation to understand what had occurred.
The basic sequence of events is as follows: On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network team discovered that several PlayStation Network servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network. This activity triggered an immediate response.
The network team took four servers off line and an internal assessment began. That processcontinued into the evening. On Wednesday, April 2011 SNEA mobilized a larger internal team to assist the investigation of the four suspect servers. That team discovered the first credible indications that an intruder had been in the PlayStation Network system, and six more servers were identified as possibly being compromised. SNEA immediately decided to shut down all of the PlayStation Network services in order to prevent any additional damage.
On the afternoon of April 201 , SNEA retained a recognized security and forensic consulting firm to mirror the servers to enable a forensic analysis. The type of mirroring required to provide meaningful information in this type of situation had to be meticulous and took many hours to complete.
The scope and complexity of the investigation grew substantially as additional evidence about the attack developed. On Thursday, April 21, SNEA retained a second recognized security and forensic consulting firm to assist in the investigation. That firm's role was to provide additional manpower to image the servers and to conduct a forensic analysis of all aspects of the suspected security breach.
The team took until Friday afternoon, April 22, to complete the mirroring of the first nine servers that were suspected of being compromised. By the evening of Saturday, April 23, the forensic teams were able to confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access to the servers and hide their presence from the system administrators.
Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network. At this point, SNEA knew it was dealing with a sophisticated hacker and on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic team with highly specialized skills to assist with the investigation. Specifically, this firm was retained to provide even more manpower for forensic analysis in all aspects of the suspected security breach and, in particular, to use their specialized skills to determine the scope ofthe data theft.
By Monday April 25, 2011, the forensic teams assembled by SNEA were finally able to confirm the scope of the personal data that they believed had been taken, but they could not rule out whether credit card information had been accessed.
SNEA was aware of its affirmative obligations under various state statutes to conduct a reasonable and prompt investigation to determine the nature and scope of the breach and to restore the integrity of its network system. SNEA also understood its obligation to report its findings to consumers if certain, specific kinds of personal information could have been compromised. As you are aware, there are a variety of state statutes that apply, and several that have conflicting or inconsistent requirements, but given the global nature of the network, SNEA needed to be mindful of them all - and has endeavored to comply with them all.
Throughout the process, SNEA was very concerned that announcing incomplete, tentative or potentially misleading information to consumers could cause confusion and lead them to take unnecessary actions. SNEA felt that it was important - and that it was in keeping with the mandate of state law - that any information SNEA provided to customers be corroborated by meaningful evidence.
Indeed, many state statutes (e.g., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY) essentially require disclosure without unreasonable delay once an investigation has been done to identify the nature and scope of what happened and who was affected. That is precisely the course we followed.
While the forensic teams had not completed their investigation as of April 25 and could not determine if credit card information had been accessed, SNEA did not know when or if it would be able to rule out that possibility. And so, on Tuesday, April 26, SNEA and Sony Computer Entertainment America (SCEA) notified consumers of the situation.
SNEA and Sony Online Entertainment (SOE) continued to investigate the potential scope of this criminal attack even after consumers were notified of the breach. In the course of that investigation, on Sunday, May 1, using information uncovered by the forensic teams, engineers at SOE discovered that data had also been taken from their servers. They, too, shut down operations and on Monday, May 2, notified their consumers of the discovery.
Both SNEA and SOE notified consumers about the theft of data in a variety of ways. They issued global press releases that received widespread circulation across a range of media. Both companies have posted notices on the first page of their websites where most consumers are first likely to seek information. SNEA has posted a notice on the PlayStation website (www.PlayStation.com) that directs consumers to PlayStation Network Data Security Updates, and on the Qriocity website (www.Qriocity.com) that directs consumers to the customer support page with an "IMPORTANT Service Announcement". SOE has posted a "Security Notice" on its home page. Sony Computer Entertainment America, the company most associated with the PlayStation® brand, has communicated with its consumers via the PlayStation Blog and has placed a prominent notice on its home page. Finally both SNE and SOE have been sending the e-mail notices to individual consumers that you mentioned in your letter.
In your letter you suggest that sending 500,000 emails an hour is not expeditious; however this limitation exists because these emails are not "batch" e-mails. The e-mails are individually tailored to our consumers' accounts. To comply with the various state laws that recognize personal notice (such as via email) may be delayed or otherwise undeliverable we, in the forms noted above, provided what is known as "substitute notice" to our consumers. (I do not believe the email pace relates to the decision to announce on April 26, as apparently suggested by someone to your staff; these issues are unrelated, and we apologize for any confusion).
With respect to your question about credit cards potentially involved, SNEA had approximately 12.3 million active and expired credit cards, approximately 5.6 million of which were in the U.S. As of this writing, there remains no evidence that the credit card information was stolen and the major credit card companies are still reporting that they have not seen an increase in fraudulent transactions due to this event
Unfortunately, our forensic teams still have not been able to rule out that credit card data was taken. That is why we have continued to be cautious in alerting our customers to the possibility it was stolen.
Since SNEA gave its first notice that the PlayStation Network and Qriocity services were compromised, SOE has subsequently announced the possible theft of personal information from approximately 24.6 million SOE accounts and also announced that approxirniately12,700 credit cards (with expiration dates but not security codes) and approximately 10,700 direct debit records-- all from non-US consumers-- may have been taken.
You have questioned why SOE did not disclose this loss of data from its servers until May 2. The reason was because SOE did not discover that theft until May 1. The intruder carefully covered his or her tracks in the server systems. In fact, as noted above, the discovery was made only after SOE rechecked their machines -- which earlier showed no evidence of theft -- using information developed by our forensic experts working in collaboration with our technical teams.
Notices as required by various state statutes were prepared and the information was made available to consumers through a press release and emails to SOE customers beginning on May 2.
You have also asked how we will protect consumers going forward. We have already advised our consumers in the U.S. that we would offer a complimentary identify theft protection program, the details of which we will announce shortly. SNEA is finalizing details of this offer and SOE has agreed to participate in the offer and will make it available to its consumers as well.
In addition to offering this identity theft protection, SNEA has announced a series of steps that it will take --most of which were in progress before this theft occurred-- to enhance security before the service is restored. SOE has taken or will take similar steps. Those steps are:
• additional automated software monitoring and configuration management to help defend against new attacks;
• enhanced levels of data protection and encryption;
• enhanced capabilities to detect software intrusions within the network, unauthorized access and unusual activity patterns;
• implementation of additional firewalls;
• expediting a planned move of the system to a new data center in a different location with enhanced security; and
• appointment of a new Chief Information Security Officer.
Please allow me to attach a letter delivered yesterday to the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing and Trade, which provides additional information that might be of interest.
We of course deeply regret that this incident has occurred and have apologized to our customers. We believe we are taking aggressive action to right what you correctly perceive is a grievous wrong against our consumers: a wrong that is the result of a malicious, sophisticated and well orchestrated criminal attack on us and our consumers.
While those who perpetrated this crime no doubt relish putting us in the cross-hairs of controversy, I know you can appreciate how widespread the problem of cybercrime is in society today. What happened to us, though more vast in scope, has happened to many others before. And cybercriminals will continue to attack businesses, consumers, and governments, posing a real threat to our economy and security.
We believe a strong coalition among government, industry, and consumers is needed to identify ways that the public and private sectors can work more closely together to enact strong laws, promote stronger enforcement of those laws, educate people about the threats we face, share best practices and make the Internet a safe place for everyone to engage in commerce. In this we commend you for your leadership.
We do not want what happened to us and our consumers to happen to any other business, consumer or organization, and we look forward to bringing the lessons we have learned to all who are concerned about the threat of cybercrimes to our way of life.
Very truly yours,
President and Group ChiefExecutive Officer
Sony Computer Entertainment Inc.