There aren't many words left once you cut out the PR-speak.
Earlier today I posted an analysis of the first part of Sony Chairman Kazuo Hirai's letter to Congress. Once he was done trying to blame Sony's numerous security holes on Anonymous, Kazuo moved on to answer the direct questions asked by the Honorable Mary Mack and G.K. Butterfield.
Don't Miss: iPhone 8: Everything You Need to Know
1. When did you become aware of the illegal and unauthorized intrusion?
Sony gives the exact minute as 4:15 PM on April 19, 2011. The initial issue seemed to be certain systems rebooting when "not scheduled to do so". On April 20, Sony made the discovery that an unauthorized intrusion had occurred. This is the point at which the decision was made to shut the PlayStation Network down.
2. How did you become aware of the breach?
Sony admits that they are still working to identify and discern the "nature and scope" of the theft. Which mean the damage could be even deeper than we know.
3. When did you notify the appropriate authorities of the breach?
Sony did not contact authorities until two days after the incursion was uncovered. They did not meet with the FBI until April 27- more than a week after the hack occurred.
4. Why did you wait to notify your customers of the breach?
Users weren't informed that their data was lost until April 26. Sony's justification seems to be that the hack was so complex it took them time to understand what had gone wrong. "Many hours" of complex mirroring was required "before analysis could begin". That said- by April 25 Sony knew "the scope of the personal data" taken. At the least, Sony waited a day longer than they should have.
The letter indicates that Sony's understanding of the quantity of leaked data has shifted greatly over the course of the investigation. That said, they should have kept users informed every step of the way of just what had been exposed.
5. Was the information obtained applicable to all accounts or a portion of the accounts? How many consumers or accounts were impacted by this breach, and how did you ascertain the number?
This is where Sony admits that "all' PSN user accounts had data pertaining to them stolen.
6. Have you identified how the breach occurred?
Yes. But Sony is "reluctant to make full details publicly available because the information is the subject of an on-going criminal investigation". And also, "the information could be used to exploit vulnerabilities" in non-Sony systems that use a similar architecture. I wonder if we'll ever get to learn just what those vulnerabilities were.
7. Have you identified the individual[s] responsible for the breach?
8. What information was obtained by the unauthorized individual[s] as a result of the breach, and how did you ascertain this information?
Here Sony notes that "the major credit card companies" have not reported any increase in fraudulent card use "as a result of the attack". Nor have any fraudulent charges related to the attack been reported. Individual user reports stolen credit cards were not mentioned, so the veracity of those claims must still be suspect.
9. How many PlayStation Network account holders provided credit card information to Sony?
12.3 million people had their cards on file in PSN. 5.6 million of those people were in the United States.
10. Your statement indicated you have no evidence at this time that credit card information was obtained, yet you cannot rule out this possibility. Please explain why you do not believe credit card data was obtained and why you cannot determine if the data was, in fact, taken?
Their forensics team has not seen any queries or transfers of credit card information. Yet. But those transfers may have been hidden or covered up. At this point, Sony still doesn't know the extent of what was exposed.
11. What steps have you taken or do you plan to take to prevent future such breaches.
Sony has added in automated software monitoring and "enhanced levels of data protection and encryption". They have improved their ability to detect intrusions and "unusual activity patterns" and added in further firewalls to slow hackers. Sony also sped up their move to a more secure data center and named a new Chief Information Security Officer.
No word yet on whether Personal Data will be encrypted- or not- from now on.
Don't Miss: The Best HDR TVs
And the rest of the letter is basically jibber-jabber. Sony promising to adhere to more stringent security standards and detailing their "Welcome Back" program. You can read it all here if you haven't gotten your dose of PR spin today.