Sony Explains PlayStation Network Hack To Congress

WASHINGTON -- The data breach that hit Sony's PlayStation Network resulted from a "very carefully planned, very professional, highly sophisticated criminal cyber-attack designed to steal personal and credit card information for illegal purposes," a Sony executive said.

In a letter to members of the House Commerce Committee released Wednesday, Kazuo Hirai, chairman of Sony Computer Entertainment America LLC, defended the company's handling of the breach.

Sony first disclosed the attack last week and said it may have compromised credit card data, email addresses and other personal information from 77 million user accounts. On Monday, Sony said data from an additional 24.6 million online gaming accounts also may have been stolen.

The company has shut down the affected systems while it investigates the attacks and beefs up security. Hirai said Sony is working "around the clock to get the systems back up and to make sure all our customers are informed of the data breach and our responses to it."

Addressing criticism that the company waited too long to inform customers, Hirai said Sony waited until it had a solid understanding and confirmation of the extent of the attack and its implications.

"Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence," he wrote.

Although Sony began investigating unusual activity on the PlayStation network on April 19, it did not notify consumers of the breach until April 26.

Hirai's letter said the company knows who is responsible for the attack and is working with outside security and forensics consultants and the Federal Bureau of Investigation.

The letter also noted that the breach came on the heels of large-scale, coordinated denial-of-service attacks launched by a loose international group of hackers called Anonymous against several Sony operations in retaliation for a complaint filed by the company against a hacker in U.S. District Court in San Francisco.

On Sunday Sony discovered that intruders had planted a file named "Anonymous" on one server that had been breached, Hirai said. Late last year, Anonymous distributed hacking software to be used against companies that stopped doing business with the anti-secrecy site WikiLeaks after it released thousands of classified government documents.

Hirai's letter added that Sony may not have immediately detected the PlayStation breach in part because its security teams were busy trying to defend against the denial-of-service attacks.

"Whether those who participated in the denial-of-service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," Hirai wrote.

Hirai was one of three Sony executives who bowed in apology for the data breaches for several seconds at the company's Tokyo headquarters on Sunday.

His letter was in response to an inquiry by Rep. Mary Bono Mack, R-Calif., who chairs the House Commerce Subcommittee on Commerce, Manufacturing and Trade, and Rep. G.K. Butterfield of North Carolina, the subcommittee's top Democrat.

Sony officials were invited to testify at a subcommittee hearing on data breaches held Wednesday, but did not appear.

One witness, David Vladeck, director of Federal Trade Commission's bureau of consumer protection, during his testimony called for legislation that would require companies to implement reasonable data security policies and procedures, and notify consumers in the event of a breach.