In a letter to a House panel looking into data breaches on Wednesday, Sony said that it is the victim of a large, sophisticated cyber attack.
Sony executive Kazuo Hirai said the company believes it has identified the cause of the first attack, though not who is behind it. He said the firm found evidence that Anonymous, the loosely organized hacker group that has targeted the company in the past, is responsible for the attacks. The group has publicly denied involvement.
Hirai said in the letter responding to inquiries from a House Commerce subcommittee that intruders had planted a file on Sony’s hacked servers “named ‘Anonymous’ with the words ‘We Are Legion,’” a reference to the group’s motto.
“Whether those who participated in the denial of service attacks were conspirators of whether they were simply duped into providing cover for a very clever thief, we may never know,” Hirai wrote.
Sony declined an invitation to attend the hearing.
On April 26, Sony announced that hackers had broken into its PlayStation and Qriocity networks April 17-19 and may have released the personal and billing information of up to 77 million people.
On Monday, Sony reported a second security breach by hackers, who may have stolen personal information of about 24.6 million users on its Sony Online Entertainment site. The company has shut down the Web site.
At the Wednesday hearing, subcommittee members had harsh words for Sony. Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the first security breach earlier and that its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog,leaving it up to customers to search for information on the breach. Hirai wrote that the company waited a week to notify customers because it took that long to get complete information on the attack.
In the letter, the company restated that it has had no confirmed reports of credit card fraud related to the breach. And the letter detailed the “Welcome Back” program Sony is launching to make amends with customers.
Sony will provide all PlayStation Network users with complimentary identity theft protection, 30 days of its PlayStation Plus premium service and 30 days of free service for Music Unlimited subscribers. The company is also giving PlayStation Plus and Music Unlimited subscribers one free day for each day the service is down.
It’s offering a similar deal to Sony Online Entertainment customers. The letter did not provide new information on the attack announced on Monday.