Kaz Hirai's letter to Congress on the PSN breach
Thirteen questions from the Congressional hearing on security breaches answered by Sony boss
2. How did you become aware of the breach?
Sony Network Entertainment America became aware of the PlayStation Network intrusion as described above. The Sony Network Entertainment America team became aware of a transfer of data out of the system also as described above. Sony Network Entertainment America then began the exhaustive and highly sophisticated process of identifying the means of access and the nature and scope of the theft. That investigation is on-going to this day.
3. When did you notify the appropriate authorities of the breach?
On April 22. 2011, Sony Computer Entertainment America's general counsel provided the FBI with information about the intrusion. (Sony Computer Entertainment America oversees the PlayStation brand in North America and has been involved with the PlayStation Network's operation since its inception). The forensic experts that Sony Network Entertainment America had retained had not determined the scope or effect of the intrusion at the time the FBI was contacted. A meeting was set up to provide details to law enforcement for Wednesday April 27, 2011.
Following an extensive investigation by a team of external forensic computer experts with the assistance Of the internal network service team. Sony Network Entertainment America and Sony Computer Entertainment America coordinated to provide public notice of the intrusion on April 26, 2011.
On the same day, Sony Network Entertainment America notified the applicable regulatory authorities in the states of New Jersey, Maryland, and New Hampshire. On April 27, 2011, Sony Network Entertainment America also notified regulatory authorities in the states of Hawaii, Louisiana, Maine, Massachusetts, Missouri, Nev York, North Carolina, South Carolina, Virginia and Puerto Rico of the criminal intrusion described above.
4. Why did you wait to notify your customers of the breach?
The PlayStation Network is a complex network, consisting of approximately 130 servers, 50 Software programs and 77 million registered accounts. The basic facts of what occurred after the intrusion bear this out.
On April 19, 2011, the Sony Network Entertainment America network team discovered that several PlayStation Network servers unexpectedly rebooted themselves and that unplanned and unusual activity was taking place on the network. This activity triggered an investigation. The network team took four servers off line and an internal assessment began.
The internal assessment of these four servers continued through the end of the business day and into the evening. The next day. April 20th, Sony Network Entertainment America mobilized a larger internal team to assist the investigation of the four suspect servers.
This internal team discovered the first credible indications that an intruder had been in the PlayStation Network systems, and six more servers were identified as possibly being compromised. Sony Network Entertainment America immediately decided to shut down all of the PlayStation Network services.
In the afternoon of April 20th, Sony Network Entertainment America retained a recognized security and forensic consulting firm to mirror the servers to enable forensic analysis to begin.
The type of mirroring required to provide meaningful information in this type of situation had to be meticulous. Many hours were needed simply to mirror servers before analysis could begin. Sony Network Entertainment America and its outside forensics team began to work on mirroring the servers.
The scope and complexity of the investigation grew substantially as additional evidence about the attack developed. On April 21, 2011, Sony retained a second recognized computer security and forensic consulting firm to assist in the investigation, to provide more manpower to image the servers and to conduct a forensic analysis of all aspects of the suspected security breach. The team took until the afternoon of April 22, 2011 to complete the mirroring of nine of the 10 servers that were suspected of being compromised.
By the evening of April 23, 2011, the forensic teams were able to confirm that intruders had used very sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators, and escalate privileges inside the servers. Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network.
Now Sony Network Entertainment America knew it was dealing with a sophisticated hacker and (on Easter Sunday) decided that it needed to retain yet another forensic team with highly specialized skills to assist with the investigation.
Specifically, this firm was retained to provide even more manpower for forensic analysis in all aspects of the suspected security breach, and, in particular, to use their special skills to determine the scope of the data theft. By April 25. 2011, the forensic teams were able to confirm the scope of the personal data that they believed had been taken but could not rule out whether credit card information had been accessed.
Sony Network Entertainment America was of course aware of its affirmative obligations under various state statutes to conduct a reasonable and prompt investigation to determine the scope of breach and depth of the breach and to restore the Integrity of our network system.
Sony Network Entertainment America further understood its obligation to report its finding to consumers if certain, specific kinds of personal information could have been compromised. As this Committee knows, there are a variety of state statutes that apply and several that have conflicting or inconsistent requirements, but given the global nature of the network, Sony Network Entertainment America needed to be mindful of them all.
Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence.
For example, as of April 25, 2011, Sony had not and could not determine if credit card information had been accessed and, while no evidence existed at the time that this type of information had been taken, we ultimately could not rule out that possibility entirely based on the reports of the forensics teams.
Given that situation, on April 26, 2011, Sony Network Entertainment America and Sony Computer Entertainment America notified consumers that their personal information had been taken and that the companies could not rule out the possibility that credit card data had been stolen as well.
5. Was the information obtained applicable to all accounts or a portion of the accounts?
How many consumers or accounts were impacted by this breach, and how did you ascertain the number? Information appears to have been stolen horn all PlayStation Network user accounts, although not every piece of information in those accounts appears to have been Stolen. The criminal intruders stole personal information from all of the approximately?? million PlayStation Network and Qriocity service accounts.
6. Have you identified how the breach occurred?
Yes, we believe so. Sony Network Entertainment America is continuing its investigation into this criminal intrusion, and more detailed information could be discovered during this process. We are reluctant to make full details publicly available because the information is the subject of an on-going criminal investigation and also the information could be used to exploit vulnerabilities in systems other than Sony's that have similar architecture to the PlayStation Network.