While he did not say the Anonymous hacker group stole Sony customer data, the chairman of Sony Online Entertainment told a Congressional subcommittee today that the timing of the breach and evidence found during the investigation point toward the group, even if it wasn't directly responsible.
A file planted on a Sony Online Entertainment server during the computer intrusion was named "Anonymous," Kazuo Hirai, chairman of the board of directors of Sony Computer Entertainment America, said in a written response to questions posed by the Subcommittee on Commerce, Manufacturing, and Trade, which is part of the U.S. House of Representatives' Committee on Energy and Commerce. In addition, Hirai said, the intrusion that exposed customer information came weeks after several Sony companies were targeted by a "large-scale, coordinated denial-of-service attack by the group called Anonymous."
However, asked if Sony has identified the individual(s) responsible for the breach, Hirai responded "No."
Meanwhile, the group's Internet Relay Chat channel used to organize its attacks was taken offline shortly after Hirai's statement was released.
"When Sony Online Entertainment discovered this past Sunday afternoon that data from its servers had been stolen, it also discovered that the intruders had planted a file named 'Anonymous' on one of those servers, a file containing the statement with the words 'We are Legion,' Hirai said in his written answers to the committee, which held a hearing in Washington, D.C., today on "The Threat of Data Theft to American Consumers."
A Sony representative said that those were the only words found among the evidence that reference the hacker group.
Anonymous members, who have denied that they were behind the data breach, typically end communications from the group with: "We are Anonymous. We are Legion. We do not Forgive. We do not Forget. Expect Us."
Hirai wrote: "Almost two weeks ago, one or more cybercriminals gained access to PlayStation Network servers at or around the same time that these servers were experiencing denial-of-service attacks. The Sony Network Entertainment America team did not immediately detect the criminal intrusion for several possible reasons"--including the sophistication of the intrusion, which exploited a system software vulnerability, and the fact that security teams were working hard to defend against denial-of-service attacks, he wrote. "That may have made it more difficult to detect this intrusion quickly--all perhaps by design."
In the course of investigating that intrusion, the company learned on Sunday that data was likely also stolen from the Sony Online Entertainment multiplayer game service, a fact that had previously gone undetected during the initial probe into the PlayStation Network attack, Hirai said.
"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes," Hirai wrote. "Sunday's discovery that data had been stolen from Sony Online Entertainment only highlights this point."
"Whether those who participated in the denial-of-services attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," Hirai said. "In any case, those who participated in the denial-of-service attacks should understand that--whether they knew it or not--they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world."
Anonymous targeted Sony in a distributed denial-of-service (DoS) attack to protest the company's lawsuit against hacker George Hotz alleging that his jailbreaking the Sony PlayStation violated the Digital Millennium Copyright Act and the Computer Fraud Abuse Act. The lawsuit was settled the following week.
Two weeks later, Sony warned 77 million customers that their personal information, including names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and usernames, as well as online user handles, had been obtained illegally by an "unauthorized person." The company has said repeatedly that there is no evidence that credit card information was stolen and the major credit card companies have not reported any fraudulent transactions that are believed to be related to the attack.
Sony Online Entertainment was taken offline Monday and the company said it discovered that attackers may have also obtained 24.6 million Sony Online Entertainment customer names, addresses, e-mail addresses, genders, birth dates, phone numbers, log-in names, and hashed passwords.
Complaints about handling
The company has been blasted by customers for what they claim was a slow response in reporting the breach and returning service to PlayStation Network members. The service has been down for two weeks now. In addition, members of Congress and state attorneys general have complained about and questioned Sony's security measures and handling of the matter.
In his answers, Hirai said Sony has tried to err on the side of safety and security by shutting down its systems and keeping them offline until the security is strengthened. The company immediately hired a highly regarded information technology security firm to help, is working with the FBI, and offering a month of free service to affected customers and free identity theft protection services to customers in the U.S., he said.
Hirai's statement gave a chronology of events. On April 19, the company detected unauthorized activity in the network, specifically "that certain systems were rebooting when they were not scheduled to do so." On April 20, Sony discovered that data "of some kind" had been transferred off the PlayStation Network servers without authorization, and so administrators shut down the system. The company also hired a forensic consulting firm that day to mirror the servers to analyze them and hired another forensic firm to help with the investigation the following day. The intruders deleted log files in order to hide their presence from system administrators and they escalated privileges inside the servers, Hirai said.
On April 22, the company's general counsel provided the FBI information about the intrusion. On April 24, the company hired a third forensic team. Sony gave public notice about the problem on April 26, and notified regulatory authorities on April 26 and 27.
"Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence," Hirai wrote.
As part of its security enhancement measures, the company is now adding automated software monitoring and configuration management, boosting levels of data protection and encryption, improving the ability to detect intrusions and unusual activity patterns, adding more firewalls and has named a new Chief Information Security Officer.
The three forensics firms the company has hired are Data Forte, Guidance Software and Protiviti and Sony also has hired the law firm of Baker & McKenzie, a Sony spokesman confirmed today.
Sony also released this statement on their blog summarizing Hirai's eight-page written response.
Updated 1:58 p.m. PT with name of consultants and law firm Sony hired, 12:47 p.m. PT with more details and 11 a.m. PT with more details, background.