Sony blamed the well-known Internet vigilante group 'Anonymous' for indirectly allowing a hacker to gain access to personal data of its game users.
Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on "The Threat of Data Theft to American Consumers."
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers
to questions posed by the subcommittee about the large-scale cyber-attack the company has experienced.
In summary, Sony's executive told the subcommittee that in dealing with this cyber attack, his company "acted with care and caution" and provided "relevant information to the public when it has been verified.
Sony also informed the subcommittee that it is working
with law enforcement authorities.
Mr. Hirai said that his company has been the victim of "a very carefully planned, very professional, highly sophisticated criminal cyber attack."
"We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion," Mr. Hirai added.
Anonymous is the name of a grass-roots cyber army that in December launched attacks that temporarily shut down the sites of MasterCard Inc and Visa Inc using simple software tools available for free over the Internet. The group attacked the two credit card companies with "denial of service" attacks that overwhelmed their servers for blocking payments to WikiLeaks.
Sony said that by April 25, "forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed." On April 26, Sony said that it notified its customers of those facts.
Sony also claims that as of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
Mr. Hirai also underined Sony's steps taken to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
Sony also told the subcommittee about its intent to offer complimentary identity theft protection to U.S. account holders and detailed the "Welcome Back" program that includes free downloads, 30 days of free membership in the PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.