Late last week, a Congressional subcommittee sent a letter to Sony's second-in-command Kaz Hirai pressing him for more answers to the massive PlayStation Network security breach. Today, Hirai has responded with an eight-page letter that not only addresses each of the subcommittee's questions one-by-one but also provides some more details into the Sony Online Entertainment breach and volleys a not-so-subtle jab at Anonymous, a hacking group he calls "conspirators or... simply duped into providing cover for a very clever thief." Yeah, it's a great read. The biggest takeaways and a full timeline of events after the break.
A Timeline of Events
According to Reuters, Sony's aforementioned retained firms include teams from Data Forte, Guidance Software, and Robert Half International subsidiary Protiviti. It's also hired the law firm Baker & McKenzie to help with the investigation.
Sony Online Entertainment
On April 28th, representatives for Sony Online Entertainment — the group behind DC Universe Online and other MMOs — took to the forums to say, "We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons." As we now know, that's not quite the case.
According to the letter, on the afternoon of May 1st, Sony learned about the SOE intrusion by merit of the current investigation. As I've reported before, the information compromised includes 24.6 million SOE accounts (US and international), 12,700 non-US credit cards, and 10,700 direct deposit record (read: bank information) from customers in Austria, Germany, Netherlands and Spain.
Was Anonymous duped?
Sony doesn't get specific as to when the attack first took place with SOE (we heard April 16th and 17th in a press release earlier this week), but it does make a point to mention, "it also discovered that the intruders had planted a file on one of those servers named 'Anonymous' with the words 'We are Legion.'" Sony goes on to explain the "coordinated denial of service attack" instigated by Anonymous. The company is pretty clear here in saying "one or more cyber criminals gained access to PlayStation Network servers at or around the same time" of the attacks.
The letter says SNEA likely didn't immediately detect the intrusion for several reasons, including the sophistication of the attack and how they hackers exploited a system software vulnerability. It then goes on — and this is where it gets juicy — to suggest the concurrent DDoS attack was possibly an intentional distraction to keep the security teams pre-occupied. I want to quote Sony directly here, because it's a zinger:
"Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that — whether they knew it or not — they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world."
So, is Anonymous being accused? Not really — Sony's pretty clear later that they haven't yet identified who's responsible — but it's quite upfront in saying the famed hacking group might've been hoodwinked into doing someone else's dirty work. Anonymous' attack is nothing if not predictable given Sony's lawsuit against PS3 hacker Geohot.
It's worth noting that by April 16th — when SOE claims the intrusion took place — Anonymous had called off its DDoS altogether and moved on to a real-life Sony protest.
12.3 million credit cards — but so far, so good
The good news, if there is any to take from this, is that so far no major credit card companies are reporting any increase in the number of fraudulent credit card transactions as a result of the attack. Still, as of this letter the company hasn't been able to "conclude with certainty through the forensic analysis done to date" that credit card information wasn't extracted. As for just how many cards were in the system, Sony says 12.3 million million account holders had CC information on file, 5.6 million of that from the US (both active and expired cards). That's just under 16 percent of the entire 77 million accounts compromised.
What's left, what's missing
The rest of the letter covers pretty much what we've already heard over the past week, including the expedited move from the San Diego data center to a new location with enhanced security and the "Welcome Back" program gifting extra PlayStation Plus / Qriocity days and other, yet-to-be-announced gifts.
So, why did it take so long for Sony to come clean on the breach? The original letter from Congress asks the company directly. In response, Sony claims it wasn't until April 25th, six days into the shutdown of PSN, that it knew the scope of the breach. It first mentioned "external intrusion" on April 23rd, and then went into detail on the matter April 26th. In the letter, the company maintains that "announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence." Translation: it's a silly non-answer dragged out over two pages of information on the timeline itself and talk of state statues with "conflicting or inconsistent requirements." But after all this, it's probably the best non-answer we'll get. Read it for yourself: