Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
6Activity
0 of .
Results for:
No results containing your search query
P. 1
Senator Blumenthal Letter from Sony

Senator Blumenthal Letter from Sony

Ratings: (0)|Views: 1,849 |Likes:
Published by Arik Hesseldahl

More info:

Published by: Arik Hesseldahl on May 06, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/10/2013

pdf

text

original

 
SONY
^A\
,6.-t
\r
COMPUTER
Sony Computer EntertainmentAmer
ca
9lS
East
Hillsdale 8lvd.Foster
City.
Califomia
94404-2175
650
655
80m
650
655
8001
Fax
May
5, 2011
The Honorable Richard
Blumenthal
The
United
States
Senate
702
Hart
Senate
Office
Building
Washington
DC
205
l0
Dear
Senator
Blumenthal:
I
am
wnting
in
response
to
your
letters
dated
April
26,2011
and
May
3,2011.
I
regret
notresponding
toyou
sooner
but
I
assure
youthat
my
attention
and
the attention
of my
colleagues
literally
aroundthe
world
has
been
keenly
focused
on remedying
the
harm
caused
by
the
large-
scale
cnminal
cyber-attackperpehated
upon
Sonyand
its
customers.
I
welcomeyour
questions
and hope
that
Sony can be
helpful
in
crafting
a
public
policy
solution that
reduces
the
chances
that cyber-attacks
such
as
this
occur in the future.
With
respect
to
yourspecific
questions, pleaseunderstand
that the PlayStation
Network
is
an
extremely complex
system
that
consists
of
approximately
130 servers,
50software
progams
and
77
million
registered
accounts.
To
determine
what
meaningful
information
we
could
tell
consumers
about
the attack on that
network
required
a
thorough
investigation to
understand
what
had
occurred.
The
basic
sequence
ofevents
is
as
follows:On
Tuesday,
April
19,
2011,the
Sony
Network
EntertainmentAmerica
(SNEA)
network
team
discovered
that
several PlayStation
Nefwork
serversunexpectedly rebootedthemselves
and
that
unpla:medand unusual
activity
was
taking
place
on
the
network.
This activity
triggered
an
immediate
response.
The
network
team
took four
servers
off
line
and an
intemal
assessment
began.
That
process
continued
into
the
evening.
On Wednesday.
April
20'h,
SNEA
mobilized
a
larger intemal
team
to
assist
the investigation
of
the
four
suspect
servers.
That team
discovered
the
first
credible
indicationsthat
an
intruder
hadbeen
in
the PlayStation
Network
system, and
six
more
servers
were
identified
as
possiblybeing compromised. SNEAimmediately
decided
to
shut
down
all
of
the
PlayStation
Network
services
in
order toprevent
any
additional
damage.
On the aftemoon
of
April
20th,
SNEA
retained
a
recognized
security
and
forensic
consulting
firm
to
mirror
the
servers
to
enable
a forensic
analysis.
The type
of
mirroring
required
to
providemeaningful
information
in
this
type
of
situation had
to
be
meticulous
and
took
many hours to
comolete.
 
Letter
to
Honorable Richard
BlumenthalMay
5,2011
Page
2
of
5
The
scope and
complexity
of
theinvestigationgrewsubstantially
as
additional
evidence about
the
attack
developed.
On
Thursday,
April
21,SNEA
retained a
second
recognized security
and
forensic
consulting
hrm
to
assist
in
the
investigation.
That
firm's
role
was
toprovideadditional
manpower
to
image the
servers and
to
conduct
a
forensic analysis
ofall
aspects
of
the
suspected
security
breach.
Theteam
took
until
Friday aftemoon,
Apil22,
to
complete
the
minoring
of the first
nine
servers
that were
suspected
ofbeing
compromised.
By
the
evening
of
Saturday,
April
23,fhe
forensic
teams
were
able
to confirm
that
intruders had
used
very
sophisticatedand
aggressivetechniques
to
obtain
unauthorized
access
to
the
servers
and
hide their
presence
from
the
system
administrators.
Among
other
things, the
intruders deleted
log files in
order
to
hide the
extent
of
their
work
and
activity
within
the
nefwork.At
this
point,SNEA knew
it
was dealing
with
a
sophisticatedhackerand
on
Sunday,
April
24
(EasterSunday) decided
that
it
needed
to
retain
a
third
forensic
team
with highly
specialized
skills to
assist
with
the
investigation.
Specifically,this
firm
was retained
to
provide
even more manpower
for
forensic analysis
in
all
aspects
of
the
suspected security
breach and,
in
particular,to
use
their
specialized
skills
to determine the
scope
of
the data
theft.
By
Monday
April
25,2011, the forensic
teams assembled
by
SNEAwere
finally
able
to confirm
the
scope
of
thepersonal
data
that theybelievedhad
been
taken,
butthey
could
not
rule
outwhether creditcard
information
had been
accessed.
SNEAwas
aware
of
its
affirmative
obligationsunder
various
state
statutes
to
conduct
a
reasonable
and
prompt
investigation
to
determine
the
nature and
scope
of
the breach and
torestore
the
integrity
of
its
nefwork
system.
SNEA
also
understood
its
obligationto
report its
findings
to
consumers
if
certain,specific
kinds
of
personal
informationcould
have
been
compromised.
As
you
are
aware, there
are
a
variety
of
state statutes
that apply,
and
severalthathave
conflicting
or
inconsistentrequirements,
butgiventheglobal
nature
of
the
network,SNEA
neededto be
mindful ofthem
all
-
and
has endeavored
to comply
with
them all.
Throughoutthe
process,
SNEA
was
very
concemed
that
announcingincomplete, tentative or
potentially
misleading
information
to
consumers
could
cause
confusionand
lead
them
to
take
unnecessary
actions.
SNEA
felt
that
it
was important
-
and
that
it
was
in
keeping
with
the
mandate
of
state
law
-
that anv
informationSNEA
orovided
to
customers
be
corroborated
by
meaningful
evidence.
Indeed,
many
state
statutes
(e.9.,
AZ,
CT,
CO,
DE,
FL, ID, ME,MD,
MS,
NE, VT,WI, WY)
essentially
require
disclosure
without
unreasonable delayonce
an
investigation
has
been
done to
identit'
the natureand
scope
of
what
happened and
who was affected. That
is
precisely
thecourse
wefollowed.
While
the
forensic
teams
had
not
completed
their
investigation
as
of
Apnl
25
and
could
not
determine
if
credit
card
information
had
been
accessed,
SNEAdid notknow
when
or
if
itwould
be
able
to rule
out that
possibility.And
so,
on
Tuesday,
April
26,SNEA
and
Sony
ComputerEntertainment
America(SCEA)notified
consumers
of
the situation.
 
Letter
to HonorableRichard
BlumenthalMay
5, 2011Page
3
of
5
SNEA
andSony
Online
Entertainrnent(SOE)continued
to
investigate the
potential
scope
of
this
criminal
attack
even after
consumers
were
notified
of
the
breach.
In
the
course
of
that
investigation, on
Sunday,
May
1,
using
information
uncovered
by
the forensic
teams,
engineers
at
SOE
discovered
that
data
had
also been taken
from their servers.
They,
too,
shut down
operations
and
on
Monday, May
2,
notifiedtheir
consumers
of
the discovery.
Both
SNEA
and SOE
notified
consumers
about the
theft
of
data
in
a variety
ofways.
They
issued
global
press
releases
that
received widespread
circulation
across
a range
of
media. Both
companies
have
postednotices on the
first
page
oftheir
websiteswhere
most
consumers are
first
likely
to
seek information.
SNEA has
posted
a
notice
on
the
PlayStation
website
(uuv.PlaySlation.com)
that directs
consumers
to
PlayStation
Network
DataSecurity
Updates,and
on the
Qriocity
website
(.www.Oriocity.com)
that directsconsumers
to
the customersupport
page
with
an
"IMPORTANT
Service
Amouncement".
SOE
has
posted
a
"Security
Notice"
on
its
home
page.
Sony Computer Entertainment America, the companymost
associated
with
the
PlayStation@
brand, has communicated
with
its
consumers
via
the
PlayStation
Blog
and
has
placed
a
prominentnotice on its
home
page.Finally
both SNE
and SOEhavebeensending
the
e-mail
notices
to
individual
consumers
thatyoumentioned
inyour
letter.
Inyour
letteryou
suggest
that
sending500,000
emails
an
hour
is
not expeditious;however this
limitation
exists
because
these
emails
are
not
"batch"
e-mails.
The
e-mails
are
individuallytailored
to
our
consumers'
accounts.
To
comply
with
thevarious
state
laws that
recognizepersonal
notice
(such
as
via
email)
maybe delayed
or
otherwise
undeliverablewe,
in
the
forms
noted
above,
providedwhat
is
known
as
"substitutenotice"
to
our
consumers.
(I
do
not
believe
the email
pacerelates
to
the
decision
to
announce
on
April
26,
as apparently
suggested
by
someone
toyourstaff;
these issues
are
unrelated,
and
we apologize
for
any
confusion).
With
respect
toyour
questionabout
credit
cards
potentially
involved, SNEA
had
approximately
12.3
million
active
and
expired credit
cards,
approximately
5.6
million
of which
were
in
the
U.S.
As
of
this
writing,
there remains
no
evidence that the
credit
card
information
was stolen
and the
major credit
card companies
are
still
reporting
that
they
have
not
seen
an increase
in
fraudulenttransactions
due
to
this
event
Unforhrnately, our forensic
teams
still
have
not
beenable
to
rule
out that
credit
card
data
was
taken.
That
is
why
we
have continued to be cautious
in
alerting our
customers
to
the
possibilityit
was
stolen.
Since
SNEA
gave
its
hrst
notice
that
the
PlayStation
Network
and
Qriocity
services
werecompromised,SOE
has
subsequently
armounced
thepossible
theft
of
personal
information
fromapproximately
24.6
million
SOEaccountsand alsoannounced
that
approximiatelyl2,T00
creditcards
(with
expiration
dates
butnot
security
codes)
and approximately
10,700
direct
debitrecords
-- all from
non-USconsumers
-
may
have been taken.
You
have
questioned
why
SOE
did not
disclose
this
loss
of
data
from
its
servers
until
May
2.
The
reason
was
because
SOE
did
not
discover
that theft
until May
1. Theintruder
carefully
covered
his
or her tracks
in
the
server
systems.
In
fact,
as
noted above,the
discovery
was
made
only
after
SOErechecked
their
machines
--which
earlier
showed
no
evidence
of theft
-
using
information
developed
by
our forensic
experts
working
in collaboration
with
our technical
teams.

Activity (6)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->