SONY Sony Computer EntertainmentAmer ca

9lS East Hillsdale 8lvd.

,6.
^A\ Foster City. Califomia 94404-2175
650 655 80m
650 655 8001 Fax

-t \r
COMPUTER

May 5, 2011

The Honorable Richard Blumenthal

The United States Senate
702 Hart Senate Office Building
Washington DC 205 l0

Dear Senator Blumenthal:

I am wnting in response to your letters dated April 26,2011 and May 3,2011. I regret not
responding to you sooner but I assure you that my attention and the attention of my colleagues
literally around the world has been keenly focused on remedying the harm caused by the large-
scale cnminal cyber-attack perpehated upon Sony and its customers. I welcome your questions
and hope that Sony can be helpful in crafting a public policy solution that reduces the chances
that cyber-attacks such as this occur in the future.
With respect to your specific questions, please understand that the PlayStation Network is an
extremely complex system that consists of approximately 130 servers, 50 software progams and
77 million registered accounts. To determine what meaningful information we could tell
consumers about the attack on that network required a thorough investigation to understand what
had occurred.
The basic sequence ofevents is as follows:

On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network team
discovered that several PlayStation Nefwork servers unexpectedly rebooted themselves and that
unpla:med and unusual activity was taking place on the network. This activity triggered an
immediate response.
The network team took four servers off line and an intemal assessment began. That process
continued into the evening. On Wednesday. April 20'h, SNEA mobilized a larger intemal team
to assist the investigation of the four suspect servers. That team discovered the first credible
indications that an intruder had been in the PlayStation Network system, and six more servers
were identified as possibly being compromised. SNEA immediately decided to shut down all of
the PlayStation Network services in order to prevent any additional damage.
On the aftemoon of April 20th, SNEA retained a recognized security and forensic consulting firm
to mirror the servers to enable a forensic analysis. The type of mirroring required to provide
meaningful information in this type of situation had to be meticulous and took many hours to
comolete.
Letter to Honorable Richard Blumenthal
May 5, 2011
Page 2 of 5

The scope and complexity of the investigation grew substantially as additional evidence about
the attack developed. On Thursday, April 21, SNEA retained a second recognized security and
forensic consulting hrm to assist in the investigation. That firm's role was to provide additional
manpower to image the servers and to conduct a forensic analysis of all aspects of the suspected
security breach.
The team took until Friday aftemoon, Apil22, to complete the minoring of the first nine servers
that were suspected ofbeing compromised. By the evening of Saturday, April 23, fhe forensic
teams were able to confirm that intruders had used very sophisticated and aggressive techniques
to obtain unauthorized access to the servers and hide their presence from the system
administrators.
Among other things, the intruders deleted log files in order to hide the extent of their work and
activity within the nefwork. At this point, SNEA knew it was dealing with a sophisticated hacker
and on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic team
with highly specialized skills to assist with the investigation. Specifically, this firm was retained
to provide even more manpower for forensic analysis in all aspects of the suspected security
breach and, in particular, to use their specialized skills to determine the scope of the data theft.
By Monday April 25, 2011, the forensic teams assembled by SNEA were finally able to confirm
the scope of the personal data that they believed had been taken, but they could not rule out
whether credit card information had been accessed.
SNEA was aware of its affirmative obligations under various state statutes to conduct a
reasonable and prompt investigation to determine the nature and scope of the breach and to
restore the integrity of its nefwork system. SNEA also understood its obligation to report its
findings to consumers if certain, specific kinds of personal information could have been
compromised. As you are aware, there are a variety of state statutes that apply, and several that
have conflicting or inconsistent requirements, but given the global nature of the network, SNEA
needed to be mindful ofthem all - and has endeavored to comply with them all.
Throughout the process, SNEA was very concemed that announcing incomplete, tentative or
potentially misleading information to consumers could cause confusion and lead them to take
unnecessary actions. SNEA felt that it was important - and that it was in keeping with the
mandate of state law - that anv information SNEA orovided to customers be corroborated by
meaningful evidence.
Indeed, many state statutes (e.9., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY)
essentially require disclosure without unreasonable delay once an investigation has been done to
identit' the nature and scope of what happened and who was affected. That is precisely the
course we followed.
While the forensic teams had not completed their investigation as of Apnl 25 and could not
determine if credit card information had been accessed, SNEA did not know when or if it would
be able to rule out that possibility. And so, on Tuesday, April 26, SNEA and Sony Computer
Entertainment America (SCEA) notified consumers of the situation.
Letter to Honorable Richard Blumenthal
May 5, 2011
Page 3 of 5

SNEA and Sony Online Entertainrnent (SOE) continued to investigate the potential scope of this
criminal attack even after consumers were notified of the breach. In the course of that
investigation, on Sunday, May 1, using information uncovered by the forensic teams, engineers
at SOE discovered that data had also been taken from their servers. They, too, shut down
operations and on Monday, May 2, notified their consumers of the discovery.
Both SNEA and SOE notified consumers about the theft of data in a variety of ways. They
issued global press releases that received widespread circulation across a range of media. Both
companies have posted notices on the first page of their websites where most consumers are first
likely to seek information. SNEA has posted a notice on the PlayStation website
(uuv.PlaySlation.com) that directs consumers to PlayStation Network Data Security Updates,
and on the Qriocity website (.www.Oriocity.com) that directs consumers to the customer support
page with an "IMPORTANT Service Amouncement". SOE has posted a "Security Notice" on
its home page. Sony Computer Entertainment America, the company most associated with the
PlayStation@ brand, has communicated with its consumers via the PlayStation Blog and has
placed a prominent notice on its home page. Finally both SNE and SOE have been sending the
e-mail notices to individual consumers that you mentioned in your letter.
In your letter you suggest that sending 500,000 emails an hour is not expeditious; however this
limitation exists because these emails are not "batch" e-mails. The e-mails are individually
tailored to our consumers' accounts. To comply with the various state laws that recognize
personal notice (such as via email) may be delayed or otherwise undeliverable we, in the forms
noted above, provided what is known as "substitute notice" to our consumers. (I do not believe
the email pace relates to the decision to announce on April 26, as apparently suggested by
someone to your staff; these issues are unrelated, and we apologize for any confusion).
With respect to your question about credit cards potentially involved, SNEA had approximately
12.3 million active and expired credit cards, approximately 5.6 million of which were in the U.S.
As of this writing, there remains no evidence that the credit card information was stolen and the
major credit card companies are still reporting that they have not seen an increase in fraudulent
transactions due to this event
Unforhrnately, our forensic teams still have not been able to rule out that credit card data was
taken. That is why we have continued to be cautious in alerting our customers to the possibility
it was stolen.
Since SNEA gave its hrst notice that the PlayStation Network and Qriocity services were
compromised, SOE has subsequently armounced the possible theft of personal information from
approximately 24.6 million SOE accounts and also announced that approximiatelyl2,T00 credit
cards (with expiration dates but not security codes) and approximately 10,700 direct debit
records -- all from non-US consumers - may have been taken.
You have questioned why SOE did not disclose this loss of data from its servers until May 2.
The reason was because SOE did not discover that theft until May 1. The intruder carefully
covered his or her tracks in the server systems. In fact, as noted above, the discovery was made
only after SOE rechecked their machines -- which earlier showed no evidence of theft - using
information developed by our forensic experts working in collaboration with our technical teams.
Letter to Honorable Richard Blumenthal
May 5, 2011
Page 4 of 5

Notices as required by various state statutes were prepared and the information was made
available to consumers through a press release and emails to SOE customers beginning on May
2.

You have also asked how we will protect consumers going forward. We have already advised
our consumers in the U.S. that we would offer a complimentary identify theft protection
program, the details of which we will announce shortly. SNEA is finalizing details of this offer
and SOE has agreed to participate in the offer and will make it available to its consumers as well.
ln addition to offering this identity theft protection, SNEA has announced a series ofsteps that it
will take -most of which were in progress before this theft occurred-- to enhance security before
the service is restored. SOE has taken or will take similar steps. Those steps are:
r additional automated software monitoring and configuration management to help
defend against new attacks;
r enhanced levels ofdata protection and encryption;
e enhanced capabilities to detect software intrusions within the network, unauthorized
access and unusual activity pattems;

o implementation of additional firewalls;

. expediting a planned move of the system to a new data center in a different location
with enhanced security; and
. appointment of a new Chief Information Security Officer.
to the House Committee on Energy and
Please allow me to attach a letter delivered yesterday
Commerce, Subcommittee on Commerce, Manufacturing and Trade, which provides additional
information that might be of interest.
We ofcourse deeply regret that this incident has occuned and have apologized to our customers.
We believe we are taking aggressive action to right what you correctly perceive is a grievous
wrong against our consumers: a wrong that is the result of a malicious, sophisticated and well
orchestrated criminal attack on us and our consumers.

While those who perpetrated this crime no doubt relish putting us in the cross-hairs of
controversy, I know you can appreciate how widespread the problem of cybercrime is in society
today. What happened to us, though more vast in scope, has happened to many others before.
And cybercriminals will continue to attack businesses, conslrmers, and govemments, posing a
real threat to our economy and security.
We believe a strong coalition among govemment, industry, and consumers is needed to idaitify
ways that the public and private sectors can work more closely together to enact strong laws,
promote stronger enforcement ofthose laws, educate people about the threats we face, share best
practices and make the Intemet a safe place for everyone to engage in commerce. In this we
commend vou for vour leadershio.
Letter to Honorable Richmd Blumenthal
May 5,2011
Page 5 of 5

We do not want what happened to us and our consumers to happen to any other business,
consumer or organization, and we look forward to bringing the lessons we have learned to all
who are concemed about the threat of cybercrimes to our way of life.

Very truly yours,

rc(+^ ll"-b,^n ilrl^-

Kazuo Hirai
President and Group Chief Executive Officer
Sony Computer Entertainment Inc.

Attachment