As Sony works to bring its PlayStation Network back online following a security breach last week, more government agencies are seeking answers from the company.
The U.S. House of Representatives subcommittee on Energy and Commerce sent a letter to Sony Computer Entertainment America Chairman Kazuo Hirai today, posing more than a dozen questions about the nature of the breach, Sony's policy on data protection and privacy, and its plans for compensating customers.
In the letter, the committee's chairwoman Rep. Mary Bono Mack (R-Calif.) said it would like to know how the intrusion on Sony's network occurred to "inform our efforts to protect consumer information." The committee wants answers no later than May 6.
The Law and Regulations Commission of the city of Taipei, Taiwan, yesterday said it also sent a letter to Sony asking for a full rundown of how the personal information and possibly credit card data of its PlayStation Network customers was compromised. It is also asking how Sony plans to compensate its customers.
The letter was sent Wednesday and Sony has 10 days to respond before incurring a fine from the commission of between NT$30,000 (U.S. $1,041) and NT$300,000 (U.S. $10,408) for violating the city's consumer protection laws.
Sony warned the more than 75 million customers of its PlayStation Network service on Tuesday that their names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and user names, as well as online user handles, were obtained illegally by an "unauthorized person" last week. As a result, it has shut down PSN and Qriocity while it rebuilds the security.
Sony has said it "has no evidence" that credit cards numbers were exposed in the breach. A group of hackers has been bragging on Internet message boards that it is in possession of 2.2 million credit card numbers from Sony that it is attempting to sell back to the company, something a Sony spokesman has denied.
The company admitted that while credit card information was encrypted, names, e-mails, birthdays, passwords, and more were not.
Sony has taken heat from customers for waiting a week before informing them of the breach. But legal authorities have also been pressing Sony for answers on how they have so far handled the situation.
Before Taipei got involved, the UK Information Commissioners Office, the agency responsible for ensuring data protection and privacy, said it is investigating the matter. The country's Data Protection act requires any entity that handles private data of individuals to keep it secure. Serious breaches can incur penalties of up to £500,000 ($833,290), though it could be avoided if Sony agreed to improve its security to bring itself into compliance with the local law.
Canada's Privacy Commission is also undertaking an investigation into the matter, a commission spokeswoman said earlier this week.
U.S. Sen. Richard Blumenthal (D-Conn.) was the first to jump into the legal fray when he promptly sent a letter Tuesday to Jack Tretton, president and chief executive of Sony Computer Entertainment America, saying he was troubled that the company had not notified customers sooner about the breach. He also called for Sony to provide affected customers with financial data security services, including free access to credit reporting services for two years to protect against identity theft.
Sony has said it contacted law enforcement and is working with a private security firm to investigate the intrusion on its network. Reuters reports the company is working with the FBI.
Sony has also said it plans to compensate customers for the incident, though it hasn't revealed when or how.
This post was updated at 2:12 p.m. PT with information about the Congressional subcommittee's letter to Sony.