Sony’s Response to the U.S. House of Representatives

Earlier this week, we reported that the United States House of Representatives wanted answers from Sony regarding the recent PlayStation Network breach. Today, Sony has issued their responses to Congress, which unfortunately didn't stray far from the typical answers and solutions we've already been hearing from them. Sony described how they followed four key principles such as acting with care and caution, providing relevant information to the public when it has been verified, taking responsibility for our obligations to our customers, and working with law enforcement authorities.

Today, the Subcommittee on Commerce, Manufacturing and Trade of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, DC on “The Threat of Data Theft to American Consumers.”
Kazuo Hirai, Chairman of the Board of Directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about the large-scale, criminal cyber-attack we have experienced. We wanted to share those answers with you (click here).
In summary, we told the subcommittee that in dealing with this cyber attack we followed four key principles:

1. Act with care and caution.
2. Provide relevant information to the public when it has been verified.
3. Take responsibility for our obligations to our customers.
4. Work with law enforcement authorities.

We also informed the subcommittee of the following:

• Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
• We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named “Anonymous” with the words “We are Legion.”
• By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
• As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
• Protecting individuals’ personal data is the highestpriority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
• We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.

We told the subcommittee about our intent to offer complimentary identity theft protection to U.S. account holders and detailed the “Welcome Back” program that includes free downloads, 30 days of free membership in the
PlayStation Plus premium subscription service; 30 days of free service for Music Unlimited subscribers; and extending PlayStation Plus and Music Unlimited subscriptions for the number of days services were unavailable.
We are working around the clock to have some PlayStation Network services restored and we’ll be providing specific details shortly. We hope this update is helpful to you, and we will continue to keep you posted as we work to restore our network and provide you with both the entertainment and the security you deserve.

THIRD attack against Sony

Cnet is reporting that a THIRD attack against Sony is slated to take place this weekend. The hackers are currently in the planning phase of the attack and are claiming it is in retaliation for how poorly the original PSN breach was handled. This time around the hackers intend to publish any and all data that was retrieved from Sony's servers. Such information could include names, addresses, credit cards, and more. The most shocking revelation to come from this story is that the hacking group is claiming to still have access to certain aspects of Sony's network. If this proves to be true, it would be a horrendous blow to Sony.




A group of hackers says it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach.



An observer of the Internet Relay Chat channel used by the hackers told CNET today that a third major attack is planned this weekend against Sony's Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony's servers.



Should the planned attack succeed, it would be the latest blow in a series of devastating security breaches of Sony's servers over the past month. The failure of Sony's server security has ignited investigations by the FBI, the Department of Justice, Congress, and the New York State Attorney General, a well as data security and privacy authorities in the U.K., Canada, and Taiwan.



Several weeks ago the hacker group known as Anonymous targeted several Sony Web sites, including Sony.com and SonyStyle.com, with a distributed denial-of-service (DDoS) attack in retaliation for what its members saw as Sony's unfair legal action against hacker George Hotz. Two weeks ago Sony's PlayStation Network, along with its Qriocity service and Sony Online, were the target of an attack that exposed the personal information of more than 100 million Sony customers. Sony was forced to shut down PSN, Qriocity, and Sony Online, and is currently working to bring them back online after rebuilding the security of its servers.



Sony says it doesn't know who orchestrated what it's calling a "highly sophisticated, planned" attack, but it has dropped hints that the group Anonymous is involved. Kazuo Hirai, chairman of Sony Computer Entertainment, told a Congressional subcommittee in a letter yesterday that the intruders on its servers planted a file named "Anonymous" containing the statement "We are Legion," part of the group's tagline.



Anonymous issued a statement yesterday denying it was involved in the PSN breach. "While we are a distributed and decentralized group, our 'leadership' does not condone credit card theft," the statement said.



Now it seems the same group of hackers that was able to infiltrate the PSN servers is planning to hit back against Sony.



Sony did not immediately respond to a request for comment.

Watchmen - Two and a Half Watchmen (HD)

WATCHMEN Trailer - AMAZING!

Let the Lawsuits Begin - Class Action Lawsuit Filed Against Sony Over PSN Hack Read more: PSGroove.com - Let the Lawsuits Begin - Class Action Lawsuit Filed Against Sony Over PSN Hack

Due to the PlayStation Network's recent security failure, it was only a matter of time before legal action came against Sony. Kristopher Johns, a local California man, strikes first in the legal arena by filing a class action lawsuit against the electronics conglomerate. The man appears to be taking Sony's breach of security extremely serious and is coming at them with a team of six lawyers from two separate law firms.

Court Document: JohnsvSony-Complaint-FINAL.pdf


The legal team is alleging Sony has violated or breached the following:

(1) VIOLATION OF BUSINESS & PROFESSIONS CODE §17200;
(2) VIOLATION OF BUSINESS & PROFESSIONS CODE §17500,
FALSE OR MISLEADING STATEMENTS;
(3) BREACH OF SONG-BEVERLY CONSUMER WARRANTY ACT; AND
(4) VIOLATION OF THE CONSUMER LEGAL REMEDIES ACT;
(5) BREACH OF EXPRESS CONTRACT;
(6) BREACH OF IMPLIED CONTRACT;
(7) VIOLATIONS OF SECURITY REQUIREMENTS FOR CUSTOMER RECORDS, CIVIL CODE

KRISTOPHER JOHNS, on Behalf of Himself and for the Benefit of All with the Common or General Interest, Any Persons Injured, and All Others Similarly Situated,
vs.
SONY COMPUTER ENTERTAINMENT AMERICA LLC, a Delaware Limited Liability Company; SONY NETWORK ENTERTAINMENT INTERNATIONAL LLC, a Delaware Limited Liability Company,
Plaintiff KRISTOPHER JOHNS (“JOHNS” or “Plaintiff,”) brings this action against SONY COMPUTER ENTERTAINMENT AMERICA LLC (“SCEA”) and SONY NETWORK ENTERTAINMENT INTERNATIONAL LLC (“SNEI”) (collectively, “SONY” or “Defendant”), on behalf of himself, all others similarly situated and the general public, and alleges upon information and belief, except as to his own actions, the investigation of his counsel, which included, inter alia, review and analysis of Defendant’s press releases, Defendant’s websites, web forums, and various news articles, as follows:
OVERVIEW

1. This action is brought on behalf of plaintiff individually, as representative of the common or general interest and as class representatives for all others similarly situated nationwide against SONY to redress defendant’s breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information.

PSN Data Leak Costs Could Top $24 Billion

The data leak stemming from the PlayStation Network could end up putting an extremely significant dent into Sony's pocketbook. However, an even more significant cost could end up stemming from the eventual identity thefts. A major security firm known as the Ponemon Institute, has estimated that data breaches, such as the one that occurred with the PSN, will end up costing consumers on average $318 per compromised account. Based on those figures and the amount of accounts on the PlayStation Network, costs could end up topping $24 Billion dollars!

Data-research firm tells Forbes price tag of PlayStation Network outage could be catastrophic; Sony offers FAQ, timeline as UK gov't readies enquiries.


Soon, the ongoing PlayStation Network outage will enter its eighth day. The past 24 hours of downtime have seen some dramatic developments, as yesterday Sony revealed that the "external intrusion" that prompted the crisis also resulted in PSN users' information being compromised. Since an estimated 77 million people have signed up for the service, the scope of the data leak is huge.


The PSN outage could prove extremely pricey for Sony.
Even larger could be the cost from the potential information theft. In an article today, Forbes cites data-security research firm The Ponemon Institute as estimating the "cost of a data breach involving a malicious or criminal act" was, on average, $318 per compromised account. Given the most recent PSN population estimate, that formula puts the potential cost as being over $24 billion.

The 2009 Ponemon Institute study that determined the figure, available here, "takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. [Ponemon] also analyze[s] the economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates."

On the bright side, Sony did say that some PSN services should be restored within a week. Then, late yesterday, it offered some answers as to why it took so long for the company to announce that users' personal data may have been accessed by an outside party.

"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised," said senior director of corporate communications and social media Patrick Seybold in a statement on the PlayStation Blog.

He continued, "We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until [April 25] to understand the scope of the breach."

Sony also made a further attempt to answers PSN users' questions by posting an FAQ on the official PlayStation website. Though it often declines detailed comment, the FAQ answers a variety of questions, including steps to avoid phishing scams. It also said that Sony was "reviewing options" about potentially refunding customers due to the downtime, which could potentially add to the cost of the outage.

Meanwhile, Eurogamer reports that the British government is launching an inquiry into the PlayStation Network data breach. The site quotes the Information Commissioner's Office as saying, "We have recently been informed of an incident, which appears to involve Sony. We are contacting Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office."

The move comes one day after US Senator Richard Blumenthal (D-CT) called on Sony to offer full disclosure to PSN users if their information was compromised. He also demanded the company offer two years of free access to credit reporting services to check if their credit was adversely affected, raising the prospect of still more expenses for the company.

congress wants answers from Sony

Users aren't the only ones seeking answers from Sony regarding the recent wide scale PSN breach. The United States Congress has written a formal letter to the the Chairman of SCEA, Kazuo Hirai. The letter requests further details regarding the PSN breach, which will then be discussed at a hearing taking place on May 4, 2011 addressing Federal data security legislation. The hearing will explore issues "regarding the threat of data theft to American consumers".

Download Congress Letter: 20110428-sony-letter.pdf (55.42 KB)