Sony has pointed the finger directly at Anonymous for the hack on its online gaming database.
In a letter to the US Congress, Kazuo Hirai, Sony Computer Entertainment chairman of the board of directors, claimed that Sony had been investigating the intrusion around the clock and what had become ‘more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes'.
He went on to say that when data being stolen was discovered, a file was also found on the server that was named ‘Anonymous' with the words ‘we are Legion'.
“Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial-of-service (DoS) attack by the group Anonymous. The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker,” the letter said.
Hirai went on to claim that the breach occurred at the same time as the DoS attack, which was not immediately detected because of its ‘sheer sophistication' and because a ‘system software vulnerability' was exploited.
He said: “Whether those who participated in the DoS attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know. In any case, those who participated in the DoS attacks should understand that – whether they knew it or not – they were aiding in a well planned, well executed, large-scale theft that left not only Sony a victim, but also Sony's many customers around the world.
“Making the internet safe for entertainment, commerce and education is a paramount government interest. The criminal cyber attacks on Sony have been and will continue to be perpetrated on other companies as well. If not addressed, these types of attacks could become more commonplace.”
Sony went on to confirm that unauthorised activity was detected on the afternoon of Tuesday 19th April, with a discovery that data had been transferred off the servers without authorisation the next day, causing the shut down of the network. The FBI was notified on 22nd April and details were given to law enforcement on Wednesday 27th April.
As for identifying how the breach occurred, Sony said that it had discovered how it happened but was ‘reluctant to make full details publicly available because the information is the subject of an on-going criminal investigation and also the information could be used to exploit vulnerabilities in systems other than Sony's that have similar architecture to the PlayStation network'. It also said that it had not identified the individual(s) responsible for the breach.
Asked what was taken, it confirmed that queries were made for user names, addresses, email addresses, dates of birth, PlayStation network/Qriocity password and login and online IDs. However Sony also said that major credit card companies have not reported any increase in the number of fraudulent transactions.
In a statement on the 24th April, Anonymous claimed that it was not responsible. It said: “While it could be the case that other Anons have acted by themselves, AnonOps was no related to this incident and does not take responsibility for whatever has happened.
“A more likely explanation is that Sony is taking advantage of Anonymous' previous ill-will towards the company to distract users from the fact that the outage is actually an internal problem with the company's servers.”
Robin Adams, director of security, fraud and risk management at The Logic Group, said: “I wonder if Sony are aware of the Payment Card Industry Data Security Standard (PCI DSS) since they are very effectively stating their non-compliance? The PCI DSS control 3.1 states that cardholder data must be kept to a minimum and that a data retention and deletion policy must be implemented, which involves a process for the secure deletion of cardholder data when it is no longer required. I would suggest outdated credit card databases fall fairly under this category.
“Not only that but the PCI DSS Prioritised Approach categorises the 220 plus controls into six risk levels and control 3.1 is one of only eight controls considered severe enough to be put in at risk level 1. In these litigious days one can only assume that the Sony lawyers and Marcom staff who proofread this statement had been missing during the security awareness training.”