As more layers are uncovered in the investigation of the PlayStation Network and Sony Entertainment Online user-information breach things continue to get more interesting. The United States Congress reached out to Sony, asking them to provide explanations of what they were doing about the breach and why it took them so long to inform their customers. In Sony’s defense, the initial hack didn’t appear to reveal much about the userbase—that news changed, of course, when they discovered that the Sony Online Entertainment database had been absconded with and that contained sensitive financial information for users.
Instead of attending a committee formed by concerned Congresscritters, Sony delivered a letter. The information in the letter, and the reaction, has been covered by USA Today,
In a letter submitted to Congress, Sony Computer Entertainment chief Kaz Hirai says the company “has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes.”
Sony turned down a request to attend the subcommittee hearing to continue its investigation into a data breach that knocked out the PlayStation Network on April 19 and Sony Online Entertainment earlier this week.
“In Sony’s case, company officials first revealed information about the data breach on their blog,” Rep. Mary Bono Mack (R-Calif) said. “That’s right. A blog. I hate to pile on, but — in essence — Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”
In another blog post, Sony gives their side of the story about what they told Congress over the matter. Including how by April 25th they already had forensic teams on the problem and couldn’t rule out if credit card info had been breached.
One of the blog bullet points, though, “…[a]s of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack….” seems directly at odds with information that the Sony Online Entertainment database did contain credit-card information and commenters at Ars Technica did feel that they’d seen strange credit activity that seemed related to the breach. Sony’s blog is from May 4th and this information has been known for the past week.
Involvement with Anonymous?
Other amusements to jump out of Sony’s letter to Congress include implications by Sony that hacktivist group Anonymous may have been involved in the data breach. They mentioned that their forensic techs had uncovered a file left behind by intruders named “Anonymous” which contained the words “We are Legion.” The latter is a common tag line used by members of the disorganized hacktivist group.
Members claiming to be part of Anonymous, of course, quickly moved to deny any involvement.
It does seem extremely unlikely that the largess of such a group would be involved in such an event if the intent were to steal credit card information. There’s a multitude of actual criminal enterprises out in the world who have organized infrastructures to take advantage of the spoils.
Sony Already Aware of Potential Flaws
When the Congress hearing on the incidents did go forward yesterday, some damning evidence came forward that Sony had indeed been aware that their outdated security contained serious flaws. The Consumerist reports,
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.
This ties in nicely with Sony’s own mention of what happened with Sony Online Entertainment when they mentioned that the stolen database was an “outdated database from 2007.” Perhaps more than just the database had been outdated, noting the reported patch status of the Apache server and the lack of a firewall.
No doubt, as this week wraps up, Sony will find themselves under hotter scrutiny not just by Congress, but by watchdog groups and the very public who trust them with their financial information.
[...] Point in fact, turning off all of their services may be Sony’s way of getting ahead of criticisms over the data loss—especially noting how Congress themselves have gotten into an investigation of the level of the loss. [...]
[...] been considering the safety of citizens as related to how much information taken from outfits like this could put them at risk for identity theft (a huge discouragement to be part of the economy and the new information technology crime of our [...]
[...] three weeks of PlayStation Network service downtime. The events in question even brought them under the scrutiny of the US Congress. If that wasn’t enough, an exploit was discovered last week in the newly restarted PSN services [...]
[...] that they couldn’t use their near $300 consoles to play almost anything. Even now it has put Sony under special scrutiny by Congress for allowing the privacy of their users to be so easily [...]
[...] for Sony and the PlayStation Network—and by big I mean the elephant in the room where the PSN was dead-in-the-water for nearly a month of that year. Not only did the PlayStation Network go dark, but after it came back online, Sony [...]
[...] a month-long scramble with hackers. As expected, Sony shuffled its management two months after the hacking incidents that prompted the closure of PlayStation Network. Andrew House, then-European business unit head [...]
[...] be attributed to organizations’ failure to protect themselves. One clear example is that of Sony, which was hacked multiple times and let customer data fall into hackers’ hands due to, among other things, the fact it stored [...]
[...] These faults landed them in front of a Congressional investigation of their security practices. [...]
[...] this year, Sony suffered massive compromises where hackers stole the data for over 75 million user accounts that caused Sony to shut down the PlayStation Network for over a month. LulzSec isn’t known to be [...]