WASHINGTON/BOSTON Sony Corp blamed Internet vigilante group Anonymous for indirectly allowing a hacker to gain access to personal data of more than 100 million video game users.
The accusation came in a letter to Congress and prompted renewed complaints that the Japanese electronics giant's disclosure had been inadequate and tardy.
The company said it waited two days after first discovering data was stolen from its PlayStation video game network before contacting law enforcement, and did not meet with FBI officials until five days later.
"Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack," Kazuo Hirai, chairman of the board of Sony Computer Entertainment America, said in a letter to the U.S. Congress.
The theft prompted the U.S. Justice Department and Federal Bureau of Investigation to open an investigation, officials said on Wednesday.
"It is something we are taking extremely seriously," said U.S. Attorney General Eric Holder.
He said the government is also probing the theft of reams of email addresses and names that Alliance Data Systems Corp's Epsilon marketing unit discovered last month.
New York Attorney General Eric Schneiderman has subpoenaed Sony entities over the breaches.
Schneiderman subpoenaed Sony for conversations and documents that related to its security systems and any representations about those systems made to consumers, said a source familiar with the issue. A Schneiderman spokesman declined comment.
Wedbush Securities analyst Michael Pachter said Sony's public disclosures have not been sufficient to quell customer concerns about the theft.
He would like to see Sony notify each of the 12.3 million customers whose credit data may have been stolen.
"Sony needs to make a statement to consumers: 'You will not be harmed, and we will indemnify you against any harm,' And they just have not done that in any of their apologies."
Sony said that its video game network was breached at the same time it was defending itself against a major denial-of-service attack by a group calling itself Anonymous. A denial-of-service attacks makes a server or system unavailable by overwhelming its network with internet traffic.
Anonymous is the name of a grass-roots cyber group that in December launched attacks that temporarily shut down the sites of MasterCard Inc and Visa Inc using simple software tools available for free over the Internet.
The group attacked the two credit card companies with denial-of-service attacks that overwhelmed their servers for blocking payments to WikiLeaks.
Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial-of-service attack in protest of Sony defending itself against a hacker in federal court in San Francisco.
The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial-of-service campaign, Sony said.
The company said it was not sure whether the organizers of the two attacks were working together.
Sony did say that its PC gaming unit, Sony Online Entertainment, discovered last Sunday a file planted on a server that was named "Anonymous" and had the words "We are legion," in it. But the self-styled vigilantes denied involvement in the data theft.
They released a statement via YouTube last month saying that while the group's organizers had not stolen the data, it was possible some members of the group were involved in the matter. (bit.ly/mG3WvT)
Members of Anonymous involved in the denial-of-service campaign may have decided to seize the opportunity to steal the data while Sony was distracted protecting its network, said Jeff Moss, chief security officer for the Internet Corporation for Assigned Names and Numbers, or ICANN.
The company noticed unauthorized activity on its network on April 19, and discovered that data had been transferred off the network the next day. It waited until April 22 to notify the FBI.
Sony chose to disclose the latest details of the attacks in a letter to the U.S. House Energy and Commerce subcommittee on commerce, manufacturing and trade rather than testify in a hearing on cyber attacks that was held on Wednesday.
Lawmakers expressed disappointment that Sony and Epsilon declined to appear at the hearing and pledged a bill that would require companies to do a better job of safeguarding their customers' data and to quickly disclose to customers when their data was lost.
Subcommittee Chairwoman Mary Bono Mack noted with dismay that Sony first disclosed the breach on a blog.
"Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them," she said. "If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."
(Additional reporting by Liana B. Baker and Joan Gralla in New York; Editing by Maureen Bavdek, Gerald E. McCormick and Steve Orlofsky)