* Sony says Anonymous group bears indirect responsibility
* Sony waited 2 days before contacting FBI about breach
* Justice Department, FBI open investigation
* New York attorney general subpoenas Sony
(Adds analysts' comments, details on investigations)
By Diane Bartz and Jim Finkle
WASHINGTON/BOSTON, May 4 Sony Corp (6758.T)
blamed Internet vigilante group Anonymous for indirectly
allowing a hacker to gain access to personal data of more than
100 million video game users.
The accusation came in a letter to Congress and prompted
renewed complaints that the Japanese electronics giant's
disclosure had been inadequate and tardy.
The company said it waited two days after first discovering
data was stolen from its PlayStation video game network before
contacting law enforcement, and did not meet with FBI officials
until five days later.
"Sony has been the victim of a very carefully planned, very
professional, highly sophisticated criminal cyber attack,"
Kazuo Hirai, chairman of the board of Sony Computer
Entertainment America, said in a letter to the U.S. Congress.
The theft prompted the U.S. Justice Department and Federal
Bureau of Investigation to open an investigation, officials
said on Wednesday. [ID:nW1E7FT00X]
"It is something we are taking extremely seriously," said
U.S. Attorney General Eric Holder.
He said the government is also probing the theft of reams
of email addresses and names that Alliance Data Systems Corp's
(ADS.N) Epsilon marketing unit discovered last month.
New York Attorney General Eric Schneiderman has subpoenaed
Sony entities over the breaches.
Schneiderman subpoenaed Sony for conversations and
documents that related to its security systems and any
representations about those systems made to consumers, said a
source familiar with the issue. A Schneiderman spokesman
Wedbush Securities analyst Michael Pachter said Sony's
public disclosures have not been sufficient to quell customer
concerns about the theft.
He would like to see Sony notify each of the 12.3 million
customers whose credit credit data may have been stolen.
"Sony needs to make a statement to consumers: 'You will not
be harmed, and we will indemnify you against any harm,' And
they just have not done that in any of their apologies."
Sony said that its video game network was breached at the
same time it was defending itself against a major
denial-of-service attack by a group calling itself Anonymous.
A denial-of-service attacks makes a server or system
unavailable by overwhemling its network with internet traffic.
Anonymous is the name of a grass-roots cyber group that in
December launched attacks that temporarily shut down the sites
of MasterCard Inc (MA.N) and Visa Inc(V.N) using simple
software tools available for free over the Internet.
The group attacked the two credit card companies with
denial-of-service attacks that overwhelmed their servers for
blocking payments to WikiLeaks.
Sony said on Wednesday that Anonymous targeted it several
weeks ago using a denial-of-service attack in protest of Sony
defending itself against a hacker in federal court in San
The attack that stole the personal data of millions of Sony
customers was launched separately, while the company was
distracted protecting itself against the denial-of-service
campaign, Sony said.
The company said it was not sure whether the organizers of
the two attacks were working together.
Sony did say that its PC gaming unit, Sony Online
Entertainment, discovered last Sunday a file planted on a
server that was named "Anonymous" and had the words "We are
legion," in it. But the self-styled vigilantes denied
involvement in the data theft.
They released a statement via YouTube last month saying
that while the group's organizers had not stolen the data, it
was possible some members of the group were involved in the
Members of Anonymous involved in the denial-of-service
campaign may have decided to seize the opportunity to steal the
data while Sony was distracted protecting its network, said
Jeff Moss, chief security officer for the Internet Corporation
for Assigned Names and Numbers, or ICANN.
The company noticed unauthorized activity on its network on
April 19, and discovered that data had been transferred off the
network the next day. It waited until April 22 to notify the
Sony chose to disclose the latest details of the attacks in
a letter to the U.S. House Energy and Commerce subcommittee on
commerce, manufacturing and trade rather than testify in a
hearing on cyber attacks that was held on Wednesday.
Lawmakers expressed disappointment that Sony and Epsilon
declined to appear at the hearing and pledged a bill that would
require companies to do a better job of safeguarding their
customers' data and to quickly disclose to customers when their
data was lost.
Subcommittee Chairwoman Mary Bono Mack noted with dismay
that Sony first disclosed the breach on a blog.
"Sony put the burden on consumers to search for
information, instead of accepting the burden of notifying
them," she said. "If I have anything to do with it, that kind
of half-hearted, half-baked response is not going to fly in the
(Additional reporting by Liana B. Baker and Joan Gralla in New
York; Editing by Maureen Bavdek, Gerald E. McCormick and Steve