When things go wrong in large institutions, one question that is often asked is: "What did they know and when did they know it?"
In the case of Sony--now confronted not only with two data breaches, but with the threat of a third, more destructive attack--that very question was posed this week in a House of Representatives subcommittee.
The answer given by Gene Spafford, a security expert and professor of computer science at Purdue University, raises troubling thoughts.
In written testimony to the House Subcommittee on Commerce, Manufacturing and Trade, Spafford highlighted recent data breaches at Sony and at Epsilon.
He wrote: "Both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data; I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."
The Consumerist reported that in oral testimony on Wednesday to the subcommittee, Spafford amplified these comments.
He reportedly said Internet forums openly discussed that the Apache Web server software used by Sony was "unpatched and had no firewall installed." He also reportedly said that these concerns were debated in an open forum that was monitored by Sony employees.
Naturally, in security problems as serious as the ones encountered by Sony, the accusations may be more plentiful than the facts.
Still, if Spafford's assertion turns out to be accurate, then surely many will wonder why such a crucial part of Sony's business, one that relies on the trust of those who use PlayStation services, might have been so neglected.
Sony's response to the subcommittee included these words: "Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism."
The response also promised the implementation of "additional firewalls" but made no mention that the security software may have been out of date.
However, one more sentence in the response may offer a clue about Sony's previous priorities. The company is planning to create a brand-new position: chief information security officer.