In a formal letter addressed to members of the House Commerce Committee, Kazuo Hirai, chairman of Sony Computer Entertainment America, suggests the rogue hacktivist movement Anonymous played a role in the massive customer data breach that now exceeds 100 million records.
Anonymous followers had previously taken credit for a distributed denial of service (DDoS) attack against the Sony PlayStation Network in early April.
Anonymous called off the assault on PSN after receiving backlash from Sony customers upset by the network downtime. When the network failed again a few weeks later, Anonymous issued a press release stating the movement had not participated in the second attack.
Initially, Sony representatives did not seek to connect the hacktivist group with the data breach event. That has changed now that forensic investigators have located a file on the hacked PSN systems named "Anonymous" and containing the movement's tagline "We are Legion."
The discovery was enough evidence for Sony's chairman to state in the letter to Congress that Anonymous was at least partly to blame for the customer data loss event:
“Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous... Whether those who participated in the denial of services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that – whether they knew it or not – they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world," Hirai's letter said.
The letter to Congress also sought to counter criticism that Sony waited too long to notify authorities and customers of the breach, stating that the company only released information after it was confirmed in the investigation:
"Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence," Hirai's letter said.
The letter also characterizes the hacking attack as a highly sophisticated, well coordinate, and professional operation. Though Anonymous typically sticks to low-level crowd-sourced DDoS attacks, their hack of the HBGary Federal systems in January demonstrates that the movement has members capable of performing more complicated exploits.
Sony has provided a summary of Hirai's letter to Congress:
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:
- Act with care and caution.
- Provide relevant information to the public when it has been verified.
- Take responsibility for our obligations to our customers.
- Work with law enforcement authorities.
We also informed the subcommittee of the following:
- Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
- We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
- By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
- As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
- Protecting individuals’ personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
- We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
The full letter to Congress from Kazuo Hirai can be found HERE.