Senator Blumenthal Presses Sony on Latest Hacking Incident Targeting More Than One Million Users

(Washington, DC) – Senator Richard Blumenthal (D-CT) today sent a letter to Sony Chairman and Chief Executive Officer Michael Lynton inquiring about the company’s latest security breach that has compromised the personal data of more than one million clients of SonyPictures.com. In the letter, Blumenthal notes the serious lack of encryption guarding personal information of users and directly asks the company how passwords could have been stolen with such ease. This breach is the latest in a series of hacking incidents that Sony has incurred over the past few months.

“Particularly troubling about this incident is the [hacker] group’s claim that Sony had stored its users’ information, including passwords, in plain text, with no encryption whatsoever,” wrote Blumenthal. “If this claim is true, it raises serious concerns about the level of care that Sony gives to its users’ privacy and security.”

The full text of the letter is below.

 

 

June 8, 2011

Mr. Michael Lynton

Chairman and Chief Executive Officer

Sony Pictures Entertainment

10202 W. Washington Blvd.

Culver City, CA 90232

Ms. Amy Pascal

Co-Chairman

Sony Pictures Entertainment

10202 W. Washington Blvd.

Culver City, CA 90232

Dear Mr. Lynton and Ms. Pascal,

I am writing regarding a recent data breach of Sony Pictures. I am concerned about the string of breaches of Sony properties, and request clarification of the details and extent of this and other recent breaches.

On June 2, 2011, a group claimed to have breached the SonyPictures.com website and accessed a database containing over one million users’ personal information, including email addresses and passwords. Particularly troubling about this incident is the group’s claim that Sony had stored its users’ information, including passwords, in plain text, with no encryption whatsoever. If this claim is true, it raises serious concerns about the level of care that Sony gives to its users’ privacy and security.

            Additionally, the group that hacked SonyPictures.com claims that it was able to do so using a relatively rudimentary exploit of poorly constructed or scripted code, and what the hackers characterized as a “primitive and common” vulnerability.

If the above information is true, it would appear that Sony has failed to take even basic steps to safeguard its consumers’ data. I seek your answers to the following questions:

1)      Does Sony know how many users were affected by this breach?

2)      What data was compromised?

3)      Was any of the data encrypted? If not, why not?

4)      Has Sony notified users whose personal information was compromised?

5)      Will Sony be providing any kind of identity theft protection for users whose data was compromised?

6)      Has Sony addressed the specific vulnerability that was demonstrated in this attack?

7)      Finally, I note with dismay that Sony appears to have suffered numerous other hacks and data breaches in the last few weeks, including several other breaches that exploited similar vulnerabilities. What measures is Sony taking to protect its consumers’ information from being accessed via these vulnerabilities?

I appreciate your prompt response.

                                                  Sincerely,

                                                  Richard Blumenthal

                                                  United States Senate