Though Sony declined to testify to Congress at today's hearing regarding the PSN/SOE intrusion which compromised millions of users' data, Sony Computer Entertainment of America chairman Kazuo Hirai has revealed new details on the attack in an 8-page letter to members of Congress.
According to the letter, the intrusion, which Sony first detected on April 19, was a "very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information." Hirai explains that on April 20, Sony's team confirmed that data had been stolen, but did not yet know the extent of the theft. That afternoon, Sony's online services were shut down and the company began the "exhaustive and highly sophisticated process of identifying the means of access and the nature and scope of the theft."
By April 21, Sony had hired two separate security firms to aid its investigation; on April 22, it notified the FBI; and on April 23, the teams concluded that "very sophisticated and aggressive techniques" had been used. A third security firm was brought on, and by the 25th, Sony had determined that personal data had been stolen, which it announced on the 26th. Why the delay? Sony was apparently reluctant to make the announcement prematurely, for fear that it would "lead [Sony's customers] to take unnecessary actions if the information was not fully corroborated by forensic evidence."
Sony still does not know with certainty whether or not credit card numbers were stolen in the breach, or who executed the attack, though it does say that it has "no confirmed reports of illegal usage of the stolen information." Hirai also claims that Sony now knows how the attack was carried out (or, it "believes" it does), and that it is working with the FBI to identify the perpetrator.
To prevent future attacks, Hirai says that Sony has hired a new Chief Information Security Officer, has added additional layers of software security, encryption, and monitoring, and is expediting a planned move of its data center to a location with "enhanced security."
Above: This totally unrelated photo of some PAX East cosplay doesn't communicate much about this story, but whatever. Guy Fawkes, rite?
Though Sony admits that it does not know who was responsible for the intrusion and theft, Hirai mentions Anonymous several times in the letter, seemingly connecting its earlier denial of service attacks with the current situation. Hirai also notes that one of its Sony Online Entertainment servers was planted with a file named "Anonymous," which contained the phrase "We are Legion."
Given Anonymous' usual modus operandi, it seems unlikely to us that any of its supporters carried out an attack designed to steal personal information and credit card numbers, so the supposed calling card may be a red herring. It doesn't really matter, though - Anonymous supporters or not, those responsible executed the attack on their own volition, and clearly intended to use stolen information for illegal purposes. They stand alone.
Whoever did it, we just hope the FBI catches them. Call in Fox Mulder, Dana Scully, Olivia Dunham, Frank Lundy, Plastic Man... whoever the hell it takes.
Above: Bring in the best of the best, FBI!
May 4, 2011