senator blumenthal letter from sony
TRANSCRIPT
SONY^A\
,6.
-t\rCOMPUTER
Sony Computer EntertainmentAmer ca9lS East Hillsdale 8lvd.Foster City. Califomia 94404-2175650 655 80m650 655 8001 Fax
May 5, 2011
The Honorable Richard BlumenthalThe United States Senate702 Hart Senate Office BuildingWashington DC 205 l0
Dear Senator Blumenthal:
I am wnting in response to your letters dated April 26,2011 and May 3,2011. I regret notresponding to you sooner but I assure you that my attention and the attention of my colleaguesliterally around the world has been keenly focused on remedying the harm caused by the large-scale cnminal cyber-attack perpehated upon Sony and its customers. I welcome your questionsand hope that Sony can be helpful in crafting a public policy solution that reduces the chancesthat cyber-attacks such as this occur in the future.
With respect to your specific questions, please understand that the PlayStation Network is anextremely complex system that consists of approximately 130 servers, 50 software progams and77 million registered accounts. To determine what meaningful information we could tellconsumers about the attack on that network required a thorough investigation to understand whathad occurred.
The basic sequence ofevents is as follows:
On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network teamdiscovered that several PlayStation Nefwork servers unexpectedly rebooted themselves and thatunpla:med and unusual activity was taking place on the network. This activity triggered animmediate response.
The network team took four servers off line and an intemal assessment began. That processcontinued into the evening. On Wednesday. April 20'h, SNEA mobilized a larger intemal teamto assist the investigation of the four suspect servers. That team discovered the first credibleindications that an intruder had been in the PlayStation Network system, and six more serverswere identified as possibly being compromised. SNEA immediately decided to shut down all ofthe PlayStation Network services in order to prevent any additional damage.
On the aftemoon of April 20th, SNEA retained a recognized security and forensic consulting firmto mirror the servers to enable a forensic analysis. The type of mirroring required to providemeaningful information in this type of situation had to be meticulous and took many hours tocomolete.
Letter to Honorable Richard BlumenthalMay 5, 2011Page 2 of 5
The scope and complexity of the investigation grew substantially as additional evidence aboutthe attack developed. On Thursday, April 21, SNEA retained a second recognized security andforensic consulting hrm to assist in the investigation. That firm's role was to provide additionalmanpower to image the servers and to conduct a forensic analysis of all aspects of the suspectedsecurity breach.
The team took until Friday aftemoon, Apil22, to complete the minoring of the first nine serversthat were suspected ofbeing compromised. By the evening of Saturday, April 23, fhe forensicteams were able to confirm that intruders had used very sophisticated and aggressive techniquesto obtain unauthorized access to the servers and hide their presence from the systemadministrators.
Among other things, the intruders deleted log files in order to hide the extent of their work andactivity within the nefwork. At this point, SNEA knew it was dealing with a sophisticated hackerand on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic teamwith highly specialized skills to assist with the investigation. Specifically, this firm was retainedto provide even more manpower for forensic analysis in all aspects of the suspected securitybreach and, in particular, to use their specialized skills to determine the scope of the data theft.
By Monday April 25, 2011, the forensic teams assembled by SNEA were finally able to confirmthe scope of the personal data that they believed had been taken, but they could not rule outwhether credit card information had been accessed.
SNEA was aware of its affirmative obligations under various state statutes to conduct areasonable and prompt investigation to determine the nature and scope of the breach and torestore the integrity of its nefwork system. SNEA also understood its obligation to report itsfindings to consumers if certain, specific kinds of personal information could have beencompromised. As you are aware, there are a variety of state statutes that apply, and several thathave conflicting or inconsistent requirements, but given the global nature of the network, SNEAneeded to be mindful ofthem all - and has endeavored to comply with them all.
Throughout the process, SNEA was very concemed that announcing incomplete, tentative orpotentially misleading information to consumers could cause confusion and lead them to takeunnecessary actions. SNEA felt that it was important - and that it was in keeping with themandate of state law - that anv information SNEA orovided to customers be corroborated bymeaningful evidence.
Indeed, many state statutes (e.9., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY)essentially require disclosure without unreasonable delay once an investigation has been done toidentit' the nature and scope of what happened and who was affected. That is precisely thecourse we followed.While the forensic teams had not completed their investigation as of Apnl 25 and could notdetermine if credit card information had been accessed, SNEA did not know when or if it wouldbe able to rule out that possibility. And so, on Tuesday, April 26, SNEA and Sony ComputerEntertainment America (SCEA) notified consumers of the situation.
Letter to Honorable Richard BlumenthalMay 5, 2011Page 3 of 5
SNEA and Sony Online Entertainrnent (SOE) continued to investigate the potential scope of thiscriminal attack even after consumers were notified of the breach. In the course of thatinvestigation, on Sunday, May 1, using information uncovered by the forensic teams, engineersat SOE discovered that data had also been taken from their servers. They, too, shut downoperations and on Monday, May 2, notified their consumers of the discovery.
Both SNEA and SOE notified consumers about the theft of data in a variety of ways. Theyissued global press releases that received widespread circulation across a range of media. Bothcompanies have posted notices on the first page of their websites where most consumers are firstlikely to seek information. SNEA has posted a notice on the PlayStation website(uuv.PlaySlation.com) that directs consumers to PlayStation Network Data Security Updates,and on the Qriocity website (.www.Oriocity.com) that directs consumers to the customer supportpage with an "IMPORTANT Service Amouncement". SOE has posted a "Security Notice" onits home page. Sony Computer Entertainment America, the company most associated with thePlayStation@ brand, has communicated with its consumers via the PlayStation Blog and hasplaced a prominent notice on its home page. Finally both SNE and SOE have been sending thee-mail notices to individual consumers that you mentioned in your letter.
In your letter you suggest that sending 500,000 emails an hour is not expeditious; however thislimitation exists because these emails are not "batch" e-mails. The e-mails are individuallytailored to our consumers' accounts. To comply with the various state laws that recognizepersonal notice (such as via email) may be delayed or otherwise undeliverable we, in the formsnoted above, provided what is known as "substitute notice" to our consumers. (I do not believethe email pace relates to the decision to announce on April 26, as apparently suggested bysomeone to your staff; these issues are unrelated, and we apologize for any confusion).
With respect to your question about credit cards potentially involved, SNEA had approximately12.3 million active and expired credit cards, approximately 5.6 million of which were in the U.S.As of this writing, there remains no evidence that the credit card information was stolen and themajor credit card companies are still reporting that they have not seen an increase in fraudulenttransactions due to this event
Unforhrnately, our forensic teams still have not been able to rule out that credit card data wastaken. That is why we have continued to be cautious in alerting our customers to the possibilityit was stolen.
Since SNEA gave its hrst notice that the PlayStation Network and Qriocity services werecompromised, SOE has subsequently armounced the possible theft of personal information fromapproximately 24.6 million SOE accounts and also announced that approximiatelyl2,T00 creditcards (with expiration dates but not security codes) and approximately 10,700 direct debitrecords -- all from non-US consumers - may have been taken.
You have questioned why SOE did not disclose this loss of data from its servers until May 2.The reason was because SOE did not discover that theft until May 1. The intruder carefullycovered his or her tracks in the server systems. In fact, as noted above, the discovery was madeonly after SOE rechecked their machines -- which earlier showed no evidence of theft - usinginformation developed by our forensic experts working in collaboration with our technical teams.
Letter to Honorable Richard BlumenthalMay 5, 2011Page 4 of 5
Notices as required by various state statutes were prepared and the information was madeavailable to consumers through a press release and emails to SOE customers beginning on May2.
You have also asked how we will protect consumers going forward. We have already advisedour consumers in the U.S. that we would offer a complimentary identify theft protectionprogram, the details of which we will announce shortly. SNEA is finalizing details of this offerand SOE has agreed to participate in the offer and will make it available to its consumers as well.
ln addition to offering this identity theft protection, SNEA has announced a series ofsteps that itwill take -most of which were in progress before this theft occurred-- to enhance security beforethe service is restored. SOE has taken or will take similar steps. Those steps are:
r additional automated software monitoring and configuration management to helpdefend against new attacks;
r enhanced levels ofdata protection and encryption;e enhanced capabilities to detect software intrusions within the network, unauthorized
access and unusual activity pattems;
o implementation of additional firewalls;. expediting a planned move of the system to a new data center in a different location
with enhanced security; and
. appointment of a new Chief Information Security Officer.Please allow me to attach a letter delivered yesterday to the House Committee on Energy andCommerce, Subcommittee on Commerce, Manufacturing and Trade, which provides additionalinformation that might be of interest.
We ofcourse deeply regret that this incident has occuned and have apologized to our customers.We believe we are taking aggressive action to right what you correctly perceive is a grievouswrong against our consumers: a wrong that is the result of a malicious, sophisticated and wellorchestrated criminal attack on us and our consumers.
While those who perpetrated this crime no doubt relish putting us in the cross-hairs ofcontroversy, I know you can appreciate how widespread the problem of cybercrime is in societytoday. What happened to us, though more vast in scope, has happened to many others before.And cybercriminals will continue to attack businesses, conslrmers, and govemments, posing areal threat to our economy and security.
We believe a strong coalition among govemment, industry, and consumers is needed to idaitifyways that the public and private sectors can work more closely together to enact strong laws,promote stronger enforcement ofthose laws, educate people about the threats we face, share bestpractices and make the Intemet a safe place for everyone to engage in commerce. In this wecommend vou for vour leadershio.
Letter to Honorable Richmd BlumenthalMay 5,2011Page 5 of 5
We do not want what happened to us and our consumers to happen to any other business,consumer or organization, and we look forward to bringing the lessons we have learned to allwho are concemed about the threat of cybercrimes to our way of life.
Very truly yours,
rc(+^ ll"-b,^n ilrl^-Kazuo HiraiPresident and Group Chief Executive OfficerSony Computer Entertainment Inc.
Attachment