Since Sony's letter to Congress on the PlayStation Network breach, there's been some interesting developments reported both in and out of the company — chief among them a $1 million identity theft insurance policy for free, care of Sony. While we wait to see if PSN will, in fact, come back within the now-promised "coming days," let's break down the new developments.
Free identity theft protection from Debix
Sony is making good on its promise to provide free enrollment into an identity theft protection program, and the details are in. Debix's "AllClear ID Plus" program for Sony customers will include cyber monitoring and surveillance, priority access to licensed private investigators and identity restoration specialists, and $1 million ID theft insurance for "certain fees, lost wages and fraud losses related to recovering your identity." Account holders should be getting an activation code via email over the next few days; they'll have until June 18th to sign up and the service lasts for 12 months. This currently applies to US customers only, though international audience will be getting more details shortly.
A letter from CEO Howard Stringer
Sony's Top Man has been pretty quiet throughout this whole ordeal, but today the PlayStation Blog published a letter from him on the whole ordeal. Nothing new for those who have been following along, but he does briefly address one of the biggest sticking points of the breach, and that is how long it took Sony to alert its customers:
"I know some believe we should have notified our customers earlier than we did. It’s a fair question. As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened. I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had — or had not — been taken."
There is an apology, and there are ample reassurances that the investigation is still ongoing and everyone is working around the clock to right the wrongs, so and so forth.
The 'final testing stages' of PSN
Also yesterday, SCEA's Patrick Seybold offered a short but poignant update to the progress of restoring the PlayStation Network. "Our global network and security teams... began the final stages of internal testing of the new system." The timeline is, as of this writing, still not concrete, but as Stringer notes in his letter (dated May 5th), the new timeline for restoration is "the coming days."
Anonymous issues new denial
In Sony's letter to Congress, hacking group Anonymous got accused of at least indirect involvement ("Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief..."). The group's leadership — if it's fair to call it that — published a fresh denial of involvement (via Guardian). It calls itself a "transparent" and "candid" group, and though the news release goes out of its way to talk about corporate corruption as a whole, it does have this to say in terms of rebuttal:
"Whoever did perform the credit card theft did so contrary to the 'modus operandi' and intentions of Anonymous. Public support is not gained by stealing credit card info and personal identities, we are trying to fight criminal activities by corporations and governments, not steal credit cards."
The rest harps a bit too much on the credit card portion without address the rest of the identity theft, but I don't think this is the group being nuanced for the sake of covering themselves.
Security expert testifies
Though Sony declined an invitation to attend in person, offering instead the now-famous letter from earlier this week, the US House of Representatives Energy & Commerce Committee nonetheless held a hearing entitled "The Threat of Data Theft to American Consumers." According to The Consumerist (via Joystiq), security expert Dr. Gene Spafford of Purdue testified that his team had discovered the company was using outdated Apache Web server software and new about it months before the attack, as "reported in an open forum monitored by Sony employees." It's worth noting that this is secondhand information and nothing to take as gospel. We've pinged Sony for response on this and a few other questions.
Another attack this weekend?
CNET is reporting "exclusive" news that an unnamed hacking group is planning a "third attack" (the first two presumably being PSN and Sony Online Entertainment). The report cites an "observer of the Internet Relay Chat channel used by the hackers" and says whatever data is found will be published online — credit card numbers and all, if found. The Hacker News reported almost the exact same thing earlier in the day, providing three links as "proof" of the access. As of now all three links are dead, but I did manage to check when one were working, and sure enough, there was a list of names and some address information on a "wishlist" page. As for whom is attacking and if they'll succeed, well, I guess we'll find out soon enough.