On the 29th of April, a United States House Of Representatives Sub Committee, sent SCEA Chairman Kazuo Hirai a letter asking questions regarding the PSN outage, Kazuo responded to that letter, but it seems that those answers weren’t enough, Mary Bono Mack, Chairman of that Sub Committee has sent yet more questions to Kazuo, here is the letter:
May 17, 2011
Mr. Kazuo Hirai
Sony Computer Entertainment America
919 East Hillsdale Blvd.
Foster City, CA 99404
Dear Mr. Hirai:
We write today to follow up on requests we submitted in our letter to you on April 29, 2011. In that letter, we made several queries regarding the data breach experienced by Sony Corporation’s Playstation Network last month. We thank you for providing a written response and for making Sony representatives available to speak with us in person on May 3, 2011.
At the time you sent the above referenced response and at the time of the briefing, Sony was unable to answer several of the queries we posed in our April 29, 2011, letter. Now that more time has passed, enabling further investigation of the incident, and particularly in light of the news that Sony restarted its Playstation Network on May 14, 2011, we submit these questions to you again, as well as questions regarding the discovery of a breach impacting Sony Online Entertainment customers. We request answers no later than May 25, 2011.
1. Has your investigation revealed any additional information on what customer information was specifically obtained, and whether the information was obtained from all accounts or a portion of the accounts?
2. When Sony representatives briefed our staff on May 3, 2011, they indicated that personal information from all 77 million accounts had been breached in some form. In your May 3, 2011, response to our letter you indicated not every piece of information in each account had been stolen, but that some personal information on all 77 million had been stolen. Has your investigation revealed what information was taken from each individual account? Do you have any additional information that would call for revising the number of affected accounts?
3. Has your investigation revealed how the breach occurred?
4. Your initial reply to us on May 3 indicated the attack may have been coordinated and directed by the group of cyber criminals named “Anonymous”. Have you identified those who are responsible for the breach, including any individual(s)?
5. When our staffs met on May 3, 2011, your representatives indicated Sony could not confirm whether credit card information had been breached but, at the time, there was no evidence to indicate that such information had been breached. Has your investigation revealed any additional information regarding whether credit card information was indeed taken?
6. Sony discovered on May 1 that an additional breach of its network occurred. This breach reportedly involved approximately 25 million user accounts at Sony Online Entertainment.
a. Was this breach the same as, related to, or unrelated to the Sony Playstation Network breach? Have you identified the responsible party?
b. When did the breach occur? If there was a delay in the discovery of the Sony Online Entertainment breach, what was the reason for the delay?
c. How many user accounts were impacted?
d. What information was taken?
e. When did Sony notify its Sony Online Entertainment users that their accounts had been breached?
7. What steps has Sony taken or does Sony plan to take to mitigate the effects of these breaches on its customers?
8. Regarding both the Sony Playstation Network and the Sony Online Entertainment servers, you indicated in your May 3 response steps Sony is implementing to prevent future such breaches. Do you believe these additional security measures will prevent future breaches or illegal intrusions? Why did you not have these measures in place prior to the breach(es)?
9. Did Sony have a policy in place at the time of either breach addressing data security and data retention practices? If not, why not? If so, what are those practices and does Sony plan any changes in its policies as a result of this breach?
10. In today’s Wall Street Journal, Chief Executive Howard Stringer said Sony “can’t guarantee the security of its videogame network…in the ‘bad new world’ of cyber crime”. Please explain what he meant, as well as the potential impact on consumers.
Thank you for your attention to and assistance in this matter.
Mary Bono Mack
G. K. Butterfield