Sony is continuing to run damage control in the wake of the PSN breach, balancing the demands of an increasingly indignant public with controlling their message, all the while struggling to keep a positive public standing. As Dawdle noted over the weekend, Sony plans to launch a "Welcome Back" program upon restoration of the PSN debacle - one that aims to pacify outraged users while calling attention to newer features like Playstation Plus - as part of their goal to reach out to disaffected users, reassuring them that Sony is willing to make amends, however insignificant they may be in the eyes of consumers. Further adding to the company woes is news that Congress recently addressed the topic of data security offering some rather unkind words for Sony. Representatives from the company were not present refused to appear at the hearing, "The Threat of Data Theft to American Consumers;" instead, Sony released a statement over the Playstation blog, as well as an eight-page letter from CEO Kaz Hirai, which can be read here.
Read more after the jump!
From the Playstation blog, beginning with Sony's contingency plan for the intrusion:
- 1. Act with care and caution.
- 2. Provide relevant information to the public when it has been verified.
- 3. Take responsibility for our obligations to our customers.
- 4. Work with law enforcement authorities.
We also informed the subcommittee of the following:
Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named "Anonymous" with the words "We are Legion."
By April 25, forensic teams were able to confirm the scope of the personal data they believed had been taken, and could not rule out whether credit card information had been accessed. On April 26, we notified customers of those facts.
As of today, the major credit card companies have not reported any fraudulent transactions that they believe are the direct result of this cyber attack.
Protecting individuals' personal data is the highest priority and ensuring that the Internet can be made secure for commerce is also essential. Worldwide, countries and businesses will have to come together to ensure the safety of commerce over the Internet and find ways to combat cybercrime and cyber terrorism.
We are taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a new Chief Information Security Officer.
While Sony states that credit card data was encrypted, user data and passwords were not, raising fears of access to accounts by unauthorized users. Sony has also sought to reassure PSN members that even if hackers were to decrypt the data, thus providing hackers with users' credit card information, the three-digit security code on the back of one's card is not stored on the PSN. Anonymous has made no further comment on the security breach. They have denied responsibility in the past, while entertaining the possibility that the theft could have been carrying out by a rogue hacker.
Until then, we're left with the Sony line, that sophisticated tactics circumvented an otherwise-sound system, proper measures were taken, and the delay in customer notifications occurred not because of ignorance or sloth, but because they had been informed a mere day earlier that credit card data, encrypted or not, had been compromised. The reliability of the news certainly warrants suspicion - Sony, like any corporation, wishes to be cast in the best possible light regarding the matter - but for the time being, we find ourselves at a loss for the truth behind the PSN breach.