The company has continued to face criticism over waiting several days to inform consumers about the intrusion on their personal data. Early in the document, PlayStation executive Kaz Hirai answered that critique directly.
"Sony Network Entertainment America immediately hired a highly regarded information technology firm and supplemented that firm with additional expertise and resources over several days," explained Hirai. "Sony Network Entertainment then released information to its customers we we and those experts believed that information was sufficiently confirmed. The truth is that retracing the steps of experienced cyber attackers is a highly complex process that takes time to carry out effectively."
Hirai's answers provide an update on the evidence Sony has against the intruders. The popular theory has been infamous hacker organization Anonymous, who declared their intentions to disrupt Sony's operations, following a lawsuit against hacker GeoHot, who essentially cracked the PlayStation code. Anonymous had publicly distanced itself from the PSN debacle, but Sony points to tangible evidence.
== TEASER =="When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen," said Hirai, "it also discovered that the intrduers had planted a file on one of the servers named 'Anonymous' with the words 'We are Legion.'"
Asked point blank whether it had positively identified the intruders, however, the company could not.
According to Sony's timeline, the hackers--possibly Anonymous--gained access while its servers were experiencing denial of service attacks. The company became aware on April 19 at 4:15 p.m. PST, with systems performing unscheduled reboots. Sony claims its response to the attack was slow due to the "sophistication of the intrusion" and the attack funneled through a "system software vulnerability." Sony was unable to determine whether those who gained access during the denial of service attacks were knowingly working in cahoots with the people actually perpetuating the denial of service attacks.
Sony informed the FBI on April 22. At the time, the company says it didn't know the full extent of the attack and scheduled a meeting to inform law enforcement on April 27. On April 26, Sony collected what it knew, published some details to the public and contacted regulatory agencies in states nationwide.
And while Sony still cannot rule out whether credit card information was definitely not taken, it has received no reports of mass fraud from any financial institutions assumed to be connected to PSN. The company believes 10 million credit cards were exposed but cannot determine if details were taken.
"Our forensics team have not seen queries and corresponding data transfers of the credit card information," said Hirai.
How many credit cards are even in the system? Sony says PSN account data shows 12.3 million credit cards across the 77 million registered accounts, though only 5.6 of them are here in the United States.
Sony's congressional answers represent our best look yet into the who, what, where and whys of the PSN attack. It's too bad Sony didn't make this same information available to its 77 million consumers.
118 Comments