Members of Congress on Wednesday continued to criticize Sony for its reaction to the massive security breach affecting its PlayStation Network, and now Sony Online Entertainment.
In a Tuesday letter, however, Sony said the attack was "very carefully planned," but said credit card companies have not reported any fraudulent activity based on data obtained from the hack.
During a hearing on data security, Rep. Mary Bono Mack expressed concern that Sony informed people about the hack on its blog rather than via personal communication. Sen. Richard Blumenthal, meanwhile, said in a letter that Sony's failure to adequately notify customers was "unconscionable and unacceptable."
Bono Mack, a California Republican, confirmed that Sony declined to testify before the House Subcommittee on Commerce, Manufacturing, and Trade. The company "says it's too busy with its ongoing investigation to appear," she said.
Sony's PlayStation Network has been down since April 20 after a hack of its systems. This week it revealed that the breach also affected Sony Online Entertainment, which is also offline.
Another company that failed to appear before the subcommittee, meanwhile, was third-party marketer Epsilon, which was recently hit by a data breach that exposed the email addresses and names of its corporate customers, including Best Buy, TiVo, and Target.
"According to Epsilon, the company did not have time to prepare for our hearing—even though its data breach occurred more than a month ago," Bono Mack said.
"Like their customers, both Sony and Epsilon are victims, too. But they also must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits 'enter,'" Bono Mack said. "E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it—and that starts with robust cyber security."
Bono Mack was surprised that Sony chose to inform its users about the breach via its corporate blog.
"Sony put the burden on consumers to 'search' for information, instead of accepting the burden of notifying them," she said. "If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."
Sony also chose to respond to the subcommittee on its blog, posting a letter it sent to Bono Mack and the other members.
"Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack," the company wrote. "We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion.'"
As of today, major credit card companies have not reported fraudulent activity related to the Sony hack, the company said.
Meanwhile, Sen. Blumenthal, a Connecticut Democrat, had similar issues. He already penned a letter to Sony president Jack Tretton last week demanding answers about the hack, but did not receive a response. He has since written another letter to Tretton and Sony chairman Kazuo Hazai.
"Although Sony learned of the intrusion on its servers on April 19 and subsequently shut down its PlayStation Network, it did not begin sending email notification to users until a week later," Blumenthal wrote. "Representatives of Sony have told my staff that this delay was due to Sony's inability to send out more than 500,000 emails per hour, thus requiring several days to notify all of the affected users. If those technological limitations are true, today's report that 24.6 million additional Sony customers may have been affected and will require notification is particularly troubling. I ask that additional steps be taken to expedite and speed notification."
According to the Wall Street Journal, Sony is working with three outside security firms to help fortify its networks: Protiviti Inc., Guidance Software Inc. and Data Forté Corp. The Journal also reported that some of the attacks came from a Malaysia-based server, though the paper's source didn't know if the hacking took place there or if there were other servers involved.
Continue Reading: How Widespread is Data Theft?
How Widespread is Data Theft?
Wednesday's hearing did include input from the Federal Trade Commission, the Secret Service, the Center for Democracy & Technology (CDT), and Purdue University executive director Gene Spafford.
Spafford suggested that Sony and other companies are using flawed systems.
"My personal conclusion from reviews of reports in the press and discussions at professional meetings is that operators of these systems —both in government and the private sector—continue to run outmoded, flawed software, fail to follow some basic good practices of security and privacy, and often have insufficient training or support," Spafford said, though he said he has "no information about what protections [Sony] had in place."
Justin Brookman, director of consumer privacy at the CDT, said the Sony and Epsilon breaches have made headlines recently, but the subject is nothing new. "Data breach is a major longstanding problem for consumers, businesses and government," he said.
Brookman suggested that "the financial and reputational cost of notification may not provide many companies with adequate incentive to properly protect consumers' data in the first place."
If Congress takes action on this issue, the solution "should be a mix of requirements and incentives for both companies and government bodies to install sufficient front-end data security measures, to minimize their holdings of consumer data that is no longer necessary for a specific, legitimate purpose, and to develop structures that monitor and control where consumer data resides," Brookman said.
He also pushed for comprehensive legislation. At this point, 46 states and D.C. have legislation regarding the breach of personal information, while the federal government has a "patchwork" of laws that cover data in certain contexts, Brookman said.
David Vladeck, director of the Bureau of Consumer Protection at the FTC, reiterated the commission's support for legislation that would "impose data security standards on companies and ... require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach."
Vladeck also pushed for "prompt notification" in the event of a breach and services that would help prevent ID theft.
"For example, in the case of a breach of Social Security numbers, notified consumers can request that fraud alerts be placed in their credit files, obtain copies of their credit reports, scrutinize their monthly account statements, and take other steps to protect themselves," Vladeck said.
Pablo Martinez, deputy special agent in charge of the Criminal Investigative Division at the Secret Service, said his agency has observed "a marked increase in the quality, quantity and complexity of cyber crimes targeting private industry and critical infrastructure, [including] network intrusions, hacking attacks, malicious software and account takeovers leading to significant data breaches affecting every sector of the world economy."
Martinez discussed portals known as "carding Web sites" that "operate like online bazaars where criminals converge to trade personal financial data and cyber-tools of the trade."
"The Web sites vary in size, from a few dozen members to some of the more popular sites boasting membership of approximately 80,000 users," Martinez said.