Blumenthal on Sony Response: “A Strong First Step”

(Hartford, CT) –Senator Richard Blumenthal (D-CT) today commended Sony Network Entertainment America (SNEA) for responding to his request to provide both information and protection to the customers who may be affected by the massive PlayStation Network and Sony Online Entertainment data breaches.

According to the company, Sony has agreed to provide one year of free credit monitoring service to users, as well as a $1 million insurance policy if they become victims of identity theft.

“I welcome Sony’s strong first step toward protecting millions of consumers whose personal and financial information has been compromised,” said Blumenthal. “While I continue to believe that Sony should have warned users earlier, I am pleased they are providing protective measures including an insurance policy to cover identity theft harms to consumers within a twelve-month window – but I would hope Sony would extend coverage over a longer time on a case-by-case basis if necessary.”

“Sony’s response to preventing similar attacks in the future could serve as a model for other companies facing similar criminal hacking,” Blumenthal continued. “The crime perpetrated on Sony and PlayStation Network users is part of a larger troubling trend of cybercrime, and a reminder that our laws and data security resources must keep pace with advancing technology. I look forward to working with Sony and others in the future to determine the best way forward, and continue to urge the Justice Department to pursue the criminals who attacked Sony’s information system.”

Blumenthal had previously written the President and CEO of Sony Computer Entertainment America, as well as the Chairman, demanding answers over the company’s then-failure to notify millions of customers of the data breach, and subsequently requested that the Department of Justice undertake an investigation to track down and hold accountable the hackers who stole sensitive personal information, and to examine any potential wrongdoing in Sony’s response to the breach.

Blumenthal also called for Sony to provide PlayStation Network users with financial data security services, including free access to credit reporting services for two years, the costs of which should be borne by the company. Additionally, he argued that affected individuals should be provided with sufficient insurance to protect them from the possible financial consequences of identity theft.

The first breach occurred sometime between April 17 – 19, 2011, potentially compromising sensitive personal and financial information of as many as 77 million users. A second breach was then discovered on May 2, potentially compromising up to 25 million more users.

Sony’s response letter is below.

May 5, 2011

The Honorable Richard Blumenthal
The United States Senate
702 Hart Senate Office Building
Washington DC 20510

Dear Senator Blumenthal:

I am writing in response to your letters dated April 26, 2011 and May 3, 2011.   I regret not responding to you sooner but I assure you that my attention and the attention of my colleagues literally around the world has been keenly focused on remedying the harm caused by the large­ scale criminal cyber-attack perpetrated upon Sony and its customers. I welcome your questions and hope that Sony can be helpful in crafting a public policy solution that reduces the chances that cyber-attacks such as this occur in the future.

With respect to your specific questions, please understand that the PlayStation Network is an extremely complex system that consists of approximately 130 servers, 50 software programs and 77  million  registered accounts.    To determine  what  meaningful  information  we  could tell consumers about the attack on that network required a thorough investigation to understand what had occurred.

The basic sequence of events is as follows: On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network team discovered that several PlayStation Network servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network.   This activity triggered an immediate response.

The network team took four servers off line and an internal assessment began.  That processcontinued into the evening.  On Wednesday, April 2011 SNEA mobilized a larger internal team to assist the investigation of the four suspect servers.   That team discovered the first credible indications that an intruder had been in the PlayStation Network system, and six more servers were identified as possibly being compromised.  SNEA immediately decided to shut down all of the PlayStation Network services in order to prevent any additional damage.

On the afternoon of April 201 , SNEA retained a recognized security and forensic consulting firm to mirror the servers to enable a forensic analysis.  The type of mirroring required to provide meaningful information in this type of situation had to be meticulous and took many hours to complete.


The scope and complexity  of the investigation  grew substantially  as additional  evidence about the attack developed.   On Thursday, April 21, SNEA retained a second recognized security and forensic consulting  firm to assist in the investigation.  That firm's  role was to provide additional manpower to image the servers and to conduct a forensic analysis of all aspects of the suspected security breach. 

The team took until Friday afternoon, April 22, to complete the mirroring of the first nine servers that were suspected of being compromised.   By the evening of Saturday,  April 23, the forensic teams were able to confirm that intruders had used very sophisticated  and aggressive techniques to  obtain   unauthorized   access   to  the  servers   and  hide   their   presence   from   the  system administrators.

Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network.  At this point, SNEA knew it was dealing with a sophisticated hacker and on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic team with highly specialized skills to assist with the investigation.  Specifically,  this firm was retained to provide even more manpower  for forensic analysis in all aspects of  the suspected  security breach and, in particular, to use their specialized skills to determine the scope ofthe data theft.

By Monday April 25, 2011, the forensic teams assembled by SNEA were finally able to confirm the scope of  the personal  data that they believed  had been taken, but  they could  not rule out whether credit card information had been accessed.

SNEA  was  aware  of  its  affirmative  obligations   under  various  state  statutes   to  conduct  a reasonable  and prompt  investigation  to determine  the  nature and  scope  of  the breach and  to restore the integrity  of its network system.   SNEA  also understood  its obligation  to report its findings  to  consumers   if  certain,  specific  kinds  of  personal  information  could  have  been compromised.   As you are aware, there are a variety of state statutes that apply, and several that have conflicting or inconsistent requirements, but given the global nature of the network, SNEA needed to be mindful of them all - and has endeavored to comply with them all.

Throughout the process, SNEA was very concerned that announcing incomplete, tentative or potentially misleading information to consumers could cause confusion and lead them to take unnecessary  actions.  SNEA  felt that  it was important  - and  that  it was  in keeping  with  the mandate of state law - that any information SNEA  provided  to customers  be corroborated  by meaningful evidence.

Indeed, many state statutes (e.g., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY) essentially require disclosure without unreasonable delay once an investigation  has been done to identify  the nature  and scope of what  happened  and who was affected.   That  is precisely the course we followed.

While the forensic  teams  had not completed  their investigation  as of  April  25 and could not determine if credit card information had been accessed, SNEA did not know when or if it would be able to rule out that possibility.   And so, on Tuesday, April 26, SNEA and Sony Computer Entertainment  America (SCEA) notified consumers of the situation.

SNEA and Sony Online Entertainment (SOE) continued to investigate the potential scope of this criminal attack even after consumers were notified of the breach. In the course of that investigation, on Sunday, May 1, using information uncovered by the forensic teams, engineers at SOE discovered that data had also been taken from their servers.   They, too, shut down operations and on Monday, May 2, notified their consumers of  the discovery.

Both SNEA and SOE notified consumers about the theft of data in a variety of ways.  They issued global press releases that received widespread circulation across a range of media. Both companies have posted notices on the first page of their websites where most consumers are first likely to seek information. SNEA has posted a notice on the PlayStation website (www.PlayStation.com) that directs consumers to PlayStation Network Data Security Updates, and on the Qriocity website (www.Qriocity.com) that directs consumers to the customer support page with an "IMPORTANT Service Announcement".  SOE has posted a "Security Notice" on its home page. Sony Computer Entertainment America, the company most associated with the PlayStation® brand, has communicated with its consumers via the PlayStation Blog and has placed a prominent notice on its home page.  Finally both SNE and SOE have been sending the e-mail notices to individual consumers that you mentioned in your letter.

In your letter you suggest that sending 500,000 emails an hour is not expeditious; however this limitation exists  because these emails are not "batch" e-mails.  The e-mails  are individually tailored to our consumers'  accounts.   To comply with the various state laws that recognize personal notice (such as via email) may be delayed or otherwise undeliverable we, in the forms noted above, provided what is known as "substitute notice" to our consumers. (I do not believe the email pace relates to the decision to announce on April 26, as apparently suggested by someone to your staff; these issues are unrelated, and we apologize for any confusion).

With respect to your question about credit cards potentially involved, SNEA had approximately 12.3 million active and expired credit cards, approximately 5.6 million of which were in the U.S. As of this writing, there remains no evidence that the credit card information was stolen and the major credit card companies are still reporting that they have not seen an increase in fraudulent transactions due to this event

Unfortunately, our forensic teams still have not been able to rule out that credit card data was taken.  That is why we have continued to be cautious in alerting our customers to the possibility it was stolen.

Since SNEA gave its first notice that the PlayStation Network and Qriocity services were compromised, SOE has subsequently announced the possible theft of personal information from approximately 24.6 million SOE accounts and also announced that approxirniately12,700 credit cards (with expiration  dates but  not security codes) and approximately  10,700  direct debit records-- all from non-US consumers-- may have been taken.

You have questioned why SOE did not disclose this loss of data from its servers until May 2. The reason was because SOE did not discover that theft until May 1. The intruder carefully covered his or her tracks in the server systems.  In fact, as noted above, the discovery was made only after SOE rechecked their machines -- which earlier showed no evidence of theft -- using information developed by our forensic experts working in collaboration with our technical teams.

Notices  as  required  by  various  state  statutes  were  prepared  and  the  information  was  made available to consumers through a press release and emails to SOE customers beginning on May 2.

You have also asked how we will protect consumers  going forward.   We have already advised our  consumers  in  the  U.S.  that  we  would  offer  a  complimentary   identify  theft  protection program, the details of which we will announce shortly.  SNEA is finalizing details of this offer and SOE has agreed to participate in the offer and will make it available to its consumers as well.

In addition to offering this identity theft protection, SNEA has announced a series of steps that it will take --most of which were in progress before this theft occurred-- to enhance security before the service is restored.  SOE has taken or will take similar steps.  Those steps are:

•  additional  automated  software  monitoring  and  configuration  management  to  help defend against new attacks;

• enhanced levels of data protection and encryption;

• enhanced capabilities  to detect software intrusions  within the network,  unauthorized access and unusual activity patterns;

• implementation of additional firewalls;

• expediting a planned move of the system to a new data center in a different location with enhanced security; and

• appointment of a new Chief Information Security Officer.

Please allow me to attach a letter delivered  yesterday  to the House  Committee  on Energy and Commerce, Subcommittee  on Commerce, Manufacturing and Trade, which provides  additional information that might be of interest.

We of course deeply regret that this incident has occurred and have apologized to our customers. We believe we are taking aggressive action  to right what you correctly  perceive is a grievous wrong against our consumers:  a wrong that is the result of a malicious,  sophisticated  and well orchestrated criminal attack on us and our consumers.

While  those  who  perpetrated   this  crime  no  doubt  relish  putting  us  in  the  cross-hairs  of controversy, I know you can appreciate how widespread the problem of cybercrime  is in society today.   What happened to us, though more vast in scope, has happened  to many others before. And cybercriminals  will continue  to attack businesses,  consumers,  and governments,  posing a real threat to our economy and security.

We believe a strong coalition among government,  industry, and consumers  is needed to identify ways that the public  and private sectors  can work more closely  together  to enact strong laws, promote stronger enforcement of those laws, educate people about the threats we face, share best practices  and make  the Internet  a safe place for everyone  to engage  in commerce.  In this we commend you for your leadership.

We  do  not  want  what  happened  to  us and  our  consumers  to  happen  to  any  other  business, consumer  or organization,  and we look forward  to bringing  the lessons  we have learned to all who are concerned about the threat of cybercrimes to our way of life.

Very truly yours,

Kazuo Hirai
President and Group ChiefExecutive Officer
Sony Computer Entertainment Inc. 

 

 ###