The cyber attack that knocked the PlayStation Network and Sony Online Entertainment offline for more than a week was a “very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information,” according to a letter from Sony to members of Congress obtained by Kotaku today.
While Sony declined to testify at today’s congressional hearings on the threat of data theft to American consumers they did provide Congress with some answers to their pointed questions.
In an eight-page letter dated May 3, Kazuo Hirai, chairman of the board of directors for Sony Computer Entertainment of America, explains the lead up to the attack, how it was first detected and the deep impact it is having on the multinational company.
On April 19, at 4.15pm Pacific, members of the Sony Network Entertainment America network team detected unauthorised activity in the network system, according to the letter.
“The network service team immediately began to evaluate this activity by reviewing running logs and analysing information in order to determine if there was a problem with the system,” Hirai writes.
On April 20, in the early afternoon, the team discovered evidence that the unauthorised intrusion had occurred and that data of some kind had been taken from the Playstation Network servers. The team didn’t know what the data was, so they shut the system down.
That shut down kicked off what Hirai calls an “exhaustive and highly sophisticated process of identifying the means of access and the nature and scope of the theft”.
Later that afternoon, Sony Network Entertainment of America brought on a “recognised security and forensic consulting firm” to copy the servers and begin a deeper investigation in the break in. As the investigation continued, Hirai writes, the scope and complexity grew.
On April 21, Sony brought in a second computer security and forensic consulting form to help. By the evening of April 23, the experts confirmed that intruders had used “very sophisticated and aggressive techniques” to break into the network undetected.
On Easter Sunday, now realising how serious the breach was, Sony brought on a third team that specialised in these sorts of intrusions. By April 25, the teams confirmed that personal data had been stolen from the network, but still could not determine whether credit card info was stolen.
On April 26 Sony notified users that personal information had been taken and that they could not rule out credit card theft.
Sony says they were reluctant to prove partial information to the public about the breach and what was stolen because they worried it could cause confusion among consumers and “lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence”.
Sony still hasn’t determined whether credit card information was stolen, but they did say that of the 77 million PlayStation Network and Qriocity service accounts, about 12.3 million of them had credit card information on file. Of that, 5.6 million were from the US and the rest abroad.
Hirai assured congress in his letter that the company has figured out how the breach happened, something they declined to share because of the nature of the on-going investigation by the FBI. They haven’t yet, Hirai said, identified who was behind the breach.
Hirai added that the company has taken a number of steps to try and prevent future breaches including adding automated software monitoring to their networks, enhanced levels of data protection and encryption, new firewalls, moving the data centre to a different location and hiring a new Chief Information Security Officer.
The attack, the subsequent investigation and the fall out are described by Hirai as “unprecedented”, “extraordinary circumstances and challenges” that employees of Sony Network Entertainment America and Sony Computer Entertainment America have “endured”.
“They were faced with very difficult decisions and often-times conflicting concerns and objectives,” he wrote. “Throughout this challenging period, they acted carefully and cautiously and strove to provide correct and accurate information while balancing concerns for our consumers’ privacy and need for information.”
Hirai wrapped up his eight-page letter with a request to the congressional committee:
“We ask the Committee to consider as well the connection between data security and the cybercrimes and cyber terrorism that threaten to make the Internet unsafe for consumers and commerce.”