Sony Still Buried Under Investigation of PlayStation Network Breach

playstation-dirt As more layers are uncovered in the investigation of the PlayStation Network and Sony Entertainment Online user-information breach things continue to get more interesting. The United States Congress reached out to Sony, asking them to provide explanations of what they were doing about the breach and why it took them so long to inform their customers. In Sony’s defense, the initial hack didn’t appear to reveal much about the userbase—that news changed, of course, when they discovered that the Sony Online Entertainment database had been absconded with and that contained sensitive financial information for users.

Instead of attending a committee formed by concerned Congresscritters, Sony delivered a letter. The information in the letter, and the reaction, has been covered by USA Today,

In a letter submitted to Congress, Sony Computer Entertainment chief Kaz Hirai says the company “has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes.”

Sony turned down a request to attend the subcommittee hearing to continue its investigation into a data breach that knocked out the PlayStation Network on April 19 and Sony Online Entertainment earlier this week.

“In Sony’s case, company officials first revealed information about the data breach on their blog,” Rep. Mary Bono Mack (R-Calif) said. “That’s right. A blog. I hate to pile on, but — in essence — Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”

In another blog post, Sony gives their side of the story about what they told Congress over the matter. Including how by April 25th they already had forensic teams on the problem and couldn’t rule out if credit card info had been breached.

RELATED:  Man pleads guilty to hacking Gmail + Apple Mail accounts and obtaining x-rated pics of celebrities

One of the blog bullet points, though, “…[a]s of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack….” seems directly at odds with information that the Sony Online Entertainment database did contain credit-card information and commenters at Ars Technica did feel that they’d seen strange credit activity that seemed related to the breach. Sony’s blog is from May 4th and this information has been known for the past week.

Involvement with Anonymous?

Other amusements to jump out of Sony’s letter to Congress include implications by Sony that hacktivist group Anonymous may have been involved in the data breach. They mentioned that their forensic techs had uncovered a file left behind by intruders named “Anonymous” which contained the words “We are Legion.” The latter is a common tag line used by members of the disorganized hacktivist group.

Members claiming to be part of Anonymous, of course, quickly moved to deny any involvement.

It does seem extremely unlikely that the largess of such a group would be involved in such an event if the intent were to steal credit card information. There’s a multitude of actual criminal enterprises out in the world who have organized infrastructures to take advantage of the spoils.

Sony Already Aware of Potential Flaws

When the Congress hearing on the incidents did go forward yesterday, some damning evidence came forward that Sony had indeed been aware that their outdated security contained serious flaws. The Consumerist reports,

According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.

This ties in nicely with Sony’s own mention of what happened with Sony Online Entertainment when they mentioned that the stolen database was an “outdated database from 2007.” Perhaps more than just the database had been outdated, noting the reported patch status of the Apache server and the lack of a firewall.

RELATED:  FBI suspends Apple case due to discovery of new way to access terrorists iPhone 5c

No doubt, as this week wraps up, Sony will find themselves under hotter scrutiny not just by Congress, but by watchdog groups and the very public who trust them with their financial information.

Kyt Dotson

Kyt Dotson

Kyt Dotson is a Senior Editor at SiliconAngle and works to cover beats surrounding DevOps, security, gaming, and cutting edge technology. Before joining SiliconAngle, Kyt worked as a software engineer starting at Motorola in Q&A to eventually settle at where he helped build a vast database for pet adoption and a lost and found system. Kyt is a published author who writes science fiction and fantasy works that incorporate ideas from modern-day technological innovation and explore the outcome of living with those technologies.
Kyt Dotson


Join our mailing list to receive the latest news and updates from our team.


Join our mailing list to receive the latest news and updates from our team.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!