As more layers are uncovered in the investigation of the PlayStation Network and Sony Entertainment Online user-information breach things continue to get more interesting. The United States Congress reached out to Sony, asking them to provide explanations of what they were doing about the breach and why it took them so long to inform their customers. In Sony’s defense, the initial hack didn’t appear to reveal much about the userbase—that news changed, of course, when they discovered that the Sony Online Entertainment database had been absconded with and that contained sensitive financial information for users.
Instead of attending a committee formed by concerned Congresscritters, Sony delivered a letter. The information in the letter, and the reaction, has been covered by USA Today,
In a letter submitted to Congress, Sony Computer Entertainment chief Kaz Hirai says the company “has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes.”
Sony turned down a request to attend the subcommittee hearing to continue its investigation into a data breach that knocked out the PlayStation Network on April 19 and Sony Online Entertainment earlier this week.
“In Sony’s case, company officials first revealed information about the data breach on their blog,” Rep. Mary Bono Mack (R-Calif) said. “That’s right. A blog. I hate to pile on, but — in essence — Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”
In another blog post, Sony gives their side of the story about what they told Congress over the matter. Including how by April 25th they already had forensic teams on the problem and couldn’t rule out if credit card info had been breached.
One of the blog bullet points, though, “…[a]s of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack….” seems directly at odds with information that the Sony Online Entertainment database did contain credit-card information and commenters at Ars Technica did feel that they’d seen strange credit activity that seemed related to the breach. Sony’s blog is from May 4th and this information has been known for the past week.
Involvement with Anonymous?
Other amusements to jump out of Sony’s letter to Congress include implications by Sony that hacktivist group Anonymous may have been involved in the data breach. They mentioned that their forensic techs had uncovered a file left behind by intruders named “Anonymous” which contained the words “We are Legion.” The latter is a common tag line used by members of the disorganized hacktivist group.
Members claiming to be part of Anonymous, of course, quickly moved to deny any involvement.
It does seem extremely unlikely that the largess of such a group would be involved in such an event if the intent were to steal credit card information. There’s a multitude of actual criminal enterprises out in the world who have organized infrastructures to take advantage of the spoils.
Sony Already Aware of Potential Flaws
When the Congress hearing on the incidents did go forward yesterday, some damning evidence came forward that Sony had indeed been aware that their outdated security contained serious flaws. The Consumerist reports,
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.
This ties in nicely with Sony’s own mention of what happened with Sony Online Entertainment when they mentioned that the stolen database was an “outdated database from 2007.” Perhaps more than just the database had been outdated, noting the reported patch status of the Apache server and the lack of a firewall.
No doubt, as this week wraps up, Sony will find themselves under hotter scrutiny not just by Congress, but by watchdog groups and the very public who trust them with their financial information.