This action might not be possible to undo. Are you sure you want to continue?
Sony Computer EntertainmentAmer ca 9lS East Hillsdale 8lvd. Foster City. Califomia 94404-2175 650 655 80m
650 655 8001 Fax
May 5, 2011
The Honorable Richard Blumenthal The United States Senate 702 Hart Senate Office Building Washington DC 205 l0
Dear Senator Blumenthal:
am wnting in response to your letters dated April 26,2011 and May 3,2011. I regret not responding to you sooner but I assure you that my attention and the attention of my colleagues literally around the world has been keenly focused on remedying the harm caused by the largescale cnminal cyber-attack perpehated upon Sony and its customers. I welcome your questions and hope that Sony can be helpful in crafting a public policy solution that reduces the chances that cyber-attacks such as this occur in the future.
With respect to your specific questions, please understand that the PlayStation Network is an extremely complex system that consists of approximately 130 servers, 50 software progams and 77 million registered accounts. To determine what meaningful information we could tell
consumers about the attack on that network required a thorough investigation to understand what had occurred.
The basic sequence ofevents is as follows:
On Tuesday, April 19, 2011, the Sony Network Entertainment America (SNEA) network team discovered that several PlayStation Nefwork servers unexpectedly rebooted themselves and that unpla:med and unusual activity was taking place on the network. This activity triggered an immediate response. The network team took four servers off line and an intemal assessment began. That process continued into the evening. On Wednesday. April 20'h, SNEA mobilized a larger intemal team to assist the investigation of the four suspect servers. That team discovered the first credible indications that an intruder had been in the PlayStation Network system, and six more servers were identified as possibly being compromised. SNEA immediately decided to shut down all of the PlayStation Network services in order to prevent any additional damage.
On the aftemoon of April 20th, SNEA retained a recognized security and forensic consulting firm to mirror the servers to enable a forensic analysis. The type of mirroring required to provide meaningful information in this type of situation had to be meticulous and took many hours to comolete.
Letter to Honorable Richard Blumenthal May 5, 2011 Page 2 of 5
The scope and complexity of the investigation grew substantially as additional evidence about the attack developed. On Thursday, April 21, SNEA retained a second recognized security and forensic consulting hrm to assist in the investigation. That firm's role was to provide additional manpower to image the servers and to conduct a forensic analysis of all aspects of the suspected security breach.
The team took until Friday aftemoon, Apil22, to complete the minoring of the first nine servers that were suspected ofbeing compromised. By the evening of Saturday, April 23, fhe forensic teams were able to confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access to the servers and hide their presence from the system administrators.
Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the nefwork. At this point, SNEA knew it was dealing with a sophisticated hacker and on Sunday, April 24 (Easter Sunday) decided that it needed to retain a third forensic team with highly specialized skills to assist with the investigation. Specifically, this firm was retained to provide even more manpower for forensic analysis in all aspects of the suspected security breach and, in particular, to use their specialized skills to determine the scope of the data theft.
By Monday April 25, 2011, the forensic teams assembled by SNEA were finally able to confirm the scope of the personal data that they believed had been taken, but they could not rule out whether credit card information had been accessed.
SNEA was aware of its affirmative obligations under various state statutes to conduct a reasonable and prompt investigation to determine the nature and scope of the breach and to restore the integrity of its nefwork system. SNEA also understood its obligation to report its findings to consumers if certain, specific kinds of personal information could have been compromised. As you are aware, there are a variety of state statutes that apply, and several that have conflicting or inconsistent requirements, but given the global nature of the network, SNEA needed to be mindful ofthem all - and has endeavored to comply with them all.
Throughout the process, SNEA was very concemed that announcing incomplete, tentative or potentially misleading information to consumers could cause confusion and lead them to take unnecessary actions. SNEA felt that it was important - and that it was in keeping with the mandate of state law - that anv information SNEA orovided to customers be corroborated by meaningful evidence.
Indeed, many state statutes (e.9., AZ, CT, CO, DE, FL, ID, ME, MD, MS, NE, VT, WI, WY) essentially require disclosure without unreasonable delay once an investigation has been done to identit' the nature and scope of what happened and who was affected. That is precisely the course we followed.
While the forensic teams had not completed their investigation as of Apnl 25 and could not determine if credit card information had been accessed, SNEA did not know when or if it would be able to rule out that possibility. And so, on Tuesday, April 26, SNEA and Sony Computer
Entertainment America (SCEA) notified consumers of the situation.
Letter to Honorable Richard Blumenthal May 5, 2011 Page 3 of 5
criminal attack even after consumers were notified of the breach. In the course of that investigation, on Sunday, May 1, using information uncovered by the forensic teams, engineers at SOE discovered that data had also been taken from their servers. They, too, shut down
operations and on Monday, May 2, notified their consumers
SNEA and Sony Online Entertainrnent (SOE) continued to investigate the potential scope of this
Both SNEA and SOE notified consumers
of the discovery. about the theft of data in a variety of ways. They
issued global press releases that received widespread circulation across a range of media. Both companies have posted notices on the first page of their websites where most consumers are first likely seek information. SNEA has posted notice on the PlayStation website (uuv.PlaySlation.com) that directs consumers to PlayStation Network Data Security Updates, and on the Qriocity website (.www.Oriocity.com) that directs consumers to the customer support page with an "IMPORTANT Service Amouncement". SOE has posted a "Security Notice" on its home page. Sony Computer Entertainment America, the company most associated with the PlayStation@ brand, has communicated with its consumers via the PlayStation Blog and has placed a prominent notice on its home page. Finally both SNE and SOE have been sending the e-mail notices to individual consumers that you mentioned in your letter.
In your letter you suggest that sending 500,000 emails an hour is not expeditious; however this limitation exists because these emails are not "batch" e-mails. The e-mails are individually tailored to our consumers' accounts. To comply with the various state laws that recognize personal notice (such as via email) may be delayed or otherwise undeliverable we, in the forms noted above, provided what is known as "substitute notice" to our consumers. (I do not believe the email pace relates to the decision to announce on April 26, as apparently suggested by someone to your staff; these issues are unrelated, and we apologize for any confusion).
With respect to your question about credit cards potentially involved, SNEA had approximately 12.3 million active and expired credit cards, approximately 5.6 million of which were in the U.S. As of this writing, there remains no evidence that the credit card information was stolen and the major credit card companies are still reporting that they have not seen an increase in fraudulent
transactions due to this event
Unforhrnately, our forensic teams still have not been able to rule out that credit card data was taken. That is why we have continued to be cautious in alerting our customers to the possibility it was stolen.
Since SNEA gave its hrst notice that the PlayStation Network and Qriocity services were compromised, SOE has subsequently armounced the possible theft of personal information from approximately 24.6 million SOE accounts and also announced that approximiatelyl2,T00 credit cards (with expiration dates but not security codes) and approximately 10,700 direct debit records -- all from non-US consumers - may have been taken. You have questioned why SOE did not disclose this loss of data from its servers until May 2. The reason was because SOE did not discover that theft until May 1. The intruder carefully covered his or her tracks in the server systems. In fact, as noted above, the discovery was made only after SOE rechecked their machines -- which earlier showed no evidence of theft - using information developed by our forensic experts working in collaboration with our technical teams.
Letter to Honorable Richard Blumenthal May 5, 2011 Page 4 of 5
Notices as required by various state statutes were prepared and the information was made available to consumers through a press release and emails to SOE customers beginning on May
You have also asked how we will protect consumers going forward. We have already advised our consumers in the U.S. that we would offer a complimentary identify theft protection program, the details of which we will announce shortly. SNEA is finalizing details of this offer and SOE has agreed to participate in the offer and will make it available to its consumers as well.
ln addition to offering this identity theft protection, SNEA has announced a series ofsteps that it will take -most of which were in progress before this theft occurred-- to enhance security before the service is restored. SOE has taken or will take similar steps. Those steps are:
r r e o . .
additional automated software monitoring and configuration management to help
defend against new attacks;
enhanced levels ofdata protection and encryption;
enhanced capabilities to detect software intrusions within the network, unauthorized access and unusual activity pattems;
implementation of additional firewalls; expediting a planned move of the system to a new data center in a different location with enhanced security; and
appointment of a new Chief Information Security Officer.
to the House Committee on Energy and Commerce, Subcommittee on Commerce, Manufacturing and Trade, which provides additional information that might be of interest.
Please allow me to attach a letter delivered yesterday
We ofcourse deeply regret that this incident has occuned and have apologized to our customers. We believe we are taking aggressive action to right what you correctly perceive is a grievous wrong against our consumers: a wrong that is the result of a malicious, sophisticated and well orchestrated criminal attack on us and our consumers.
While those who perpetrated this crime no doubt relish putting us in the cross-hairs of controversy, I know you can appreciate how widespread the problem of cybercrime is in society today. What happened to us, though more vast in scope, has happened to many others before. And cybercriminals will continue to attack businesses, conslrmers, and govemments, posing a
real threat to our economy and security.
We believe a strong coalition among govemment, industry, and consumers is needed to idaitify ways that the public and private sectors can work more closely together to enact strong laws, promote stronger enforcement ofthose laws, educate people about the threats we face, share best practices and make the Intemet a safe place for everyone to engage in commerce. In this we commend vou for vour leadershio.
Letter to Honorable Richmd Blumenthal May 5,2011 Page 5 of 5
We do not want what happened to us and our consumers to happen to any other business, consumer or organization, and we look forward to bringing the lessons we have learned to all who are concemed about the threat of cybercrimes to our way of life.
Very truly yours,
rc(+^ ll"-b,^n ilrl^Kazuo Hirai President and Group Chief Executive Officer Sony Computer Entertainment Inc.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.