A US Congress subcommittee met today to discuss the recent PSN data breach. Airing on C-SPAN, the congressional hearing criticized Sony for its lack of security and its slow response time -- and the company's reputation wasn't aided by the fact that it decided not to attend the gathering. The company said it was too busy with its ongoing investigation to appear. Instead, Kazuo Hirai, chairman of the board of directors at SCEA, responded to the concerns by releasing eight-page letter after the fact. You can read the full statement on Flickr.
Rep. Mary Bono of the Subcommittee on Commerce, Manufacturing, and Trade said she is "deeply troubled" by the data breaches and that Sony's refusal to testify was unacceptable. Much of Bono's anger was focused on the way Sony handled the attack, asking why the company's customers weren't notified sooner. Sony took approximately one week to inform its users that hackers stole their sensitive information, including names, locations, email addresses, usernames and passwords, and possibly even credit card numbers.
"I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony -- as well as all other companies -- have an overriding responsibility to alert them... immediately," Bono said. She continued by calling Sony's efforts "half-hearted" and "half-baked" because the company announced the breach on its blog, forcing customers to seek the information. Sony has been emailing its 78 million registered accounts, but that's hardly a quick process -- we just got an email notification yesterday.
Defending itself, Sony said that it dealt with the attack by following four key principles: "act with care and caution, provide relevant information to the public when it has been verified, take responsibility for our obligations to our customers, and work with law enforcement authorities." The company's forensic teams until April 25 to determine what data was swiped and Sony informed customers on April 26. It's still unknown if credit card data was taken, but Sony notes that credit card companies haven't reported any related fraudulent transactions.
Interestingly, Sony is now blaming Anonymous for executing the attack. Although the hacker group has repeatedly denied involvement, Sony says it discovered a file on one of its servers named "Anonymous" that contained the words "We are Legion" -- a phrase commonly used by Anonymous. Additionally, the company believes that the denial of service attacks orchestrated by Anonymous and the subsequent PSN/Sony Online Entertainment breaches are related. Anonymous still denies responsibility, and a single file is hardly damning evidence.
Sony has employed a third security firm to aid in the investigation, which now involves US Homeland Security and the FBI. The company says it's still working around the clock to revive its services, but it hasn't provided any concrete dates. When everything is restored, the company promises to offer US customers a "Welcome Back" package that includes free downloads as well as 30 free days of PlayStation Plus and Music Unlimited. The company will also extend those subscriptions for the number of days services were unavailable.