Not a great day for Sony.
First they got slammed at a Congressional hearing on data theft for not being willing to come testify. Representative Mary Bono Mack, Chairman, Subcommittee on Commerce, Manufacturing, and Trade, said:
As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.
According to Epsilon, the company did not have time to prepare for our hearing – even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them.
Sony did not appear, but they did submit their written response to Congressional inquiries. In their letter, Sony declined to indicate how the attack occurred due to the ongoing investigation, but noted that they had first detected problems on April 19, two days after the intrusion. Over the next few days, they brought in different forensics teams as part of their investigation. [Update: see Businessweek for the names of the firms]. Consumers were notified by email on April 26, when Sony also notified the New Hampshire Attorney General’s Office (pdf).
Of concern to some, Sony reportedly did not notify the FBI until two days after they detected the breach and did not meet with the FBI until 5 days after the breach. The DOJ confirmed today that they have opened an investigation into the breach.
Equally noteworthy, Sony has blamed the vigilante group Anonymous for at least part of the breach, alleging that when data were stolen, a file with the name “Anonymous” was inserted with the message, “We are Legion.” Sony was careful not to accuse Anonymous of being solely responsible for the theft of data and notes that their denial of service attacks on Sony may have simply provided others with an opportunity to attack the databases when the company’s attention was focused on dealing with the denial of service attacks.