Kaz Hirai's letter to Congress on the PSN breach
Thirteen questions from the Congressional hearing on security breaches answered by Sony boss
7. Have you identified the individual(s) responsible for the breach?
No.
8. What information was obtained by the unauthorized individual(s) as a result of this breach, and how did you ascertain this information?
Based on the activity of the intruder, we know that queries were made in the PlayStation Network system database for user account information related to name, address (city, state, zip), country, email address, birthdate. PlayStation Network/Qriocity password and login, and handle/PlayStation Network online ID.
As of today, the major credit card companies have not reported that they have seen any increase in the number of fraudulent credit card transactions as a result of the attack, and they have not reported to us any fraudulent transactions that they believe are a direct result of the intrusions described above.
9. How many PlayStation Network account holders provided credit card information to Sony Computer Entertainment?
Globally, approximately 12.3 million account holders had credit card information on file on the PlayStation Network system. In the United States, approximately 5.6 million account holders had credit card information on file on the system. These numbers include active and expired credit cards.
10. Your statement indicated you have no evidence at this time that credit card information was obtained, yet you cannot rule out this possibility. Please explain why you do not believe credit card information was obtained and why you cannot determine if the data was in fact taken.
As stated above, Sony Network Entertainment America has not been able to conclude with certainty through the forensic analysis done to date that credit card information was not transferred from the PlayStation Network system.
We know that for other personal information contained in the account database, the hacker made queries to the database, and the external forensics teams have seen large amounts of data transferred in response to those queries. Our forensics teams have not seen queries and corresponding data transfers of the credit card information.
11. What steps have you taken or do you plan to take to prevent future such breaches.
The new security measures being implemented include the following:
- Added automated software monitoring and configuration management to help defend against new attacks;
- Enhanced levels of data protection and encryption;
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns;
- Implementation of additional firewalls; and
- The company also expedited a planned move Of the system to a new data center in a different location with enhanced security.
- The naming of new Chief Information Security Officer (CISO) directly reporting to the Chief Information Officer, Sony Corporation.
12. Do you currently have a policy that addresses data security and retention practices? If not, why not? If so, what are those practices and do you plan any changes in your policies as a result of this breach?
Yes, we do have policies that address data security and retention practices. Sony utilizes a global framework for providing policies to its group companies based on the international information security standard called "ISO/lEC 27001" to ensure consistent standard information security practices for each operating company.
The Global Information Security Policy ("GISP") sets forth the company's information security management structure and administrative, technical and physical safeguards to protect the confidentiality, integrity, and availability of non-public information.
The GISP also defines the overall direction and policy of Sony Group's information security program and the authorities and responsibilities for information security management. Additionally. Sony provides a set of 14 standards, Global Information Security Standards ("GISS"), that specify the types of controls needed for the different categories of information security management (e.g., information classification, access controls and HR security).
Continued application of these policies and practices, in addition to, an expedited move to our new enhanced security data facility, are the changes being made as a result of this breach.
13. what steps have you taken or do you plan to take to mitigate the effects of this breach? Do you plan to offer any credit monitoring or other services to consumers who suffer actual harm as a result of this breach?
Sony Network Entertainment America is committed to helping its Customers protect their personal data and will offer its U.S. account holders complimentary identity theft protection services. Because the breach affects customers worldwide, different programs may be Offered in other territories.
Sony Network Entertainment America is also creating a 'Welcome Back- program to be offered worldwide, which will be tailored to specific markets to provide our consumers with a selection of service options and premium content as an expression of the company's appreciation for their patience and support Central components of the 'Welcome Back'' program will include:
- Each territory will be offering selected PlayStation entertainment content for free download. Specific details of this content will be announced in each region soon.
- All consumers coming back to the PlayStation Network will be provided with 30 days of free membership in the PlayStation Plus premium subscription service. Current PlayStation Plus subscribers will have their subscriptions extended for the number of days PlayStation Network and Qriocity services were unavailable and, in addition, will receive 30 days of free service.
- Music Unlimited subscribers On countries where the service is available) will have their subscriptions extended for the number of days PlayStation Network and Qriocity services were unavailable and, in addition, receive 30 days Of free service.
I want to thank this Committee for giving me this opportunity to respond to its questions. I hope I have been able to convey the extraordinary circumstances and challenges that have confronted the employees of Sony Network Entertainment America and Sony Computer Entertainment America over the past few days and weeks. My employees were facing and have endured an unprecedented large-scale criminal cyber-attack.
They were faced with very difficult decisions and oftentimes conflicting concerns and objectives. Throughout this challenging period, they acted carefully and cautiously and strove to provide correct and accurate information while balancing concerns for our consumers' privacy and need for information.