Sony says "Anonymous" set stage for data theft

WASHINGTON/BOSTON Wed May 4, 2011 3:44pm EDT

Howard Stringer, chief executive and president of Sony Corporation, speaks at a function to launch the Sony Media Technology Centre at a film school on the outskirts of Mumbai March 4, 2011. REUTERS/Danish Siddiqui

Howard Stringer, chief executive and president of Sony Corporation, speaks at a function to launch the Sony Media Technology Centre at a film school on the outskirts of Mumbai March 4, 2011.

Credit: Reuters/Danish Siddiqui

Related Topics

WASHINGTON/BOSTON (Reuters) - Sony Corp blamed Internet vigilante group Anonymous for indirectly allowing a hacker to gain access to personal data of more than 100 million video game users.

The accusation came in a letter to Congress and prompted renewed complaints that the Japanese electronics giant's disclosure had been inadequate and tardy.

The company said it waited two days after first discovering data was stolen from its PlayStation video game network before contacting law enforcement, and did not meet with FBI officials until five days later.

"Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack," Kazuo Hirai, chairman of the board of Sony Computer Entertainment America, said in a letter to the U.S. Congress.

The theft prompted the U.S. Justice Department and Federal Bureau of Investigation to open an investigation, officials said on Wednesday.

"It is something we are taking extremely seriously," said U.S. Attorney General Eric Holder.

He said the government is also probing the theft of reams of email addresses and names that Alliance Data Systems Corp's Epsilon marketing unit discovered last month.

New York Attorney General Eric Schneiderman has subpoenaed Sony entities over the breaches.

Schneiderman subpoenaed Sony for conversations and documents that related to its security systems and any representations about those systems made to consumers, said a source familiar with the issue. A Schneiderman spokesman declined comment.

GOOD ENOUGH?

Wedbush Securities analyst Michael Pachter said Sony's public disclosures have not been sufficient to quell customer concerns about the theft.

He would like to see Sony notify each of the 12.3 million customers whose credit data may have been stolen.

"Sony needs to make a statement to consumers: 'You will not be harmed, and we will indemnify you against any harm,' And they just have not done that in any of their apologies."

Sony said that its video game network was breached at the same time it was defending itself against a major denial-of-service attack by a group calling itself Anonymous. A denial-of-service attacks makes a server or system unavailable by overwhelming its network with internet traffic.

Anonymous is the name of a grass-roots cyber group that in December launched attacks that temporarily shut down the sites of MasterCard Inc and Visa Inc using simple software tools available for free over the Internet.

The group attacked the two credit card companies with denial-of-service attacks that overwhelmed their servers for blocking payments to WikiLeaks.

Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial-of-service attack in protest of Sony defending itself against a hacker in federal court in San Francisco.

The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial-of-service campaign, Sony said.

The company said it was not sure whether the organizers of the two attacks were working together.

Sony did say that its PC gaming unit, Sony Online Entertainment, discovered last Sunday a file planted on a server that was named "Anonymous" and had the words "We are legion," in it. But the self-styled vigilantes denied involvement in the data theft.

They released a statement via YouTube last month saying that while the group's organizers had not stolen the data, it was possible some members of the group were involved in the matter. (bit.ly/mG3WvT)

Members of Anonymous involved in the denial-of-service campaign may have decided to seize the opportunity to steal the data while Sony was distracted protecting its network, said Jeff Moss, chief security officer for the Internet Corporation for Assigned Names and Numbers, or ICANN.

'HALF-BAKED' RESPONSE

The company noticed unauthorized activity on its network on April 19, and discovered that data had been transferred off the network the next day. It waited until April 22 to notify the FBI.

Sony chose to disclose the latest details of the attacks in a letter to the U.S. House Energy and Commerce subcommittee on commerce, manufacturing and trade rather than testify in a hearing on cyber attacks that was held on Wednesday.

Lawmakers expressed disappointment that Sony and Epsilon declined to appear at the hearing and pledged a bill that would require companies to do a better job of safeguarding their customers' data and to quickly disclose to customers when their data was lost.

Subcommittee Chairwoman Mary Bono Mack noted with dismay that Sony first disclosed the breach on a blog.

"Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them," she said. "If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."

(Additional reporting by Liana B. Baker and Joan Gralla in New York; Editing by Maureen Bavdek, Gerald E. McCormick and Steve Orlofsky)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (6)
Tamooj wrote:
ROFL! “…while the company was distracted protecting itself against the denial of service campaign, Sony said.” What a load of crap. It’s not like they were using shopping mall security guards who could be ‘distracted’ by a commotion while shoplifting happened.

SOE had stupid gaping holes in their billing system, and they cut corners by using a semi-secure datacenter. And while we’re on the topic; why was customer personal information *and* credit card data even stored in the same facility??! This is in total contravention of industry best-practices, and in many places, against the law.
They ought to be fined by the FTC for such gross incompetence, then face a class-action lawsuit, and then a stockholder lawsuit, and then they should all be fired. Somewhere there is an IT security consultant who is saying “I told them not to do it this way, but they wanted to save money”. Why is business always so short-sighted? All stockholders take note: Generating revenue is NOT the same thing as building value.

May 04, 2011 12:52pm EDT  --  Report as abuse
socratesfoot wrote:
blaming Anon? Of course. This couldn’t have anything to do with Sony running the accounts on old outdated versions of Apache, using only Windows servers, and choosing to run them without the firewalls in place. Anon is MUCH more likely. *sarcasm*

I’d say the fact the credit cards thus far haven’t been used, that the exploits were posed on a blog internally, and that Sony is keeping this an internal investigation says it’s much more likely that someone internally was probably doing it in the interest of forcing the upgrade. Most likely an internal employee pissed over Sony’s stupidity and bad management of our data.

May 04, 2011 2:46pm EDT  --  Report as abuse
finfollower wrote:
Not an IT person per se, but “distracted?” WTF is that supposed to mean? A company the size of SONY can be distracted by a DOS event to the point that they completely miss an unauthorized intrusion that sucks down millions of customer files and transfers them off server? And then the company takes days to contact law enforcement and days more before they involved the feds?

One very good reason not to own a playstation or register anything with SONY. This entire cover story smacks of something much, much more that is being covered up.

May 04, 2011 3:09pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.