Sony Says It May Know How Hacker Penetrated Online Networks

Sony Corp. believes it knows how a hacker penetrated its online entertainment networks in an incident that exposed 100 million customer accounts, the company said in a letter to U.S. lawmakers released today.

Sony declined to publicly disclose how the hacker gained access, saying the information might jeopardize an ongoing probe of the attacks and put other networks at risk, according to the May 26 letter to Representatives Mary Bono Mack, a California Republican, and G.K. Butterfield, a North Carolina Democrat.

Sony still doesn’t know who was responsible for the intrusion or precisely how much information was taken, the company said in the letter responding to questions from Bono Mack and Butterfield. The hacker took steps to cover tracks in and out of the company’s servers and conceal what data was taken, Sony said.

“These gaps in what we know are not for lack of trying by experts, but rather an unfortunate testament to the skill of those who perpetrated the attacks,” Kazuo Hirai, Sony’s executive deputy president in charge of consumer products, wrote. “Some aspects of the intrusion may never be known.”

The incident at Tokyo-based Sony, which led the company to temporarily shut down its PlayStation gaming network, has sharpened U.S. government scrutiny of how companies protect consumer data and notify the public about cyber attacks.

Credit-Card Data

The Obama administration on May 12 released a proposal to shield banks, power grids and other critical infrastructure from hackers and create uniform laws for data breaches. Bono Mack has said she plans to introduce data protection legislation using Sony’s experience as a guide.

Bono Mack and Butterfield asked Sony on May 17 for more detail on the attack, including what customer information may have been stolen. So far, there is no evidence that credit-card data were taken during the attacks, Sony said in its letter.

“To date there have been no confirmed reports of credit card misuse or reports of an increase in fraudulent transactions resulting from this incident,” Sony said.

The company said it took “aggressive” action in responding to the breach and continues to work with the U.S. Federal Bureau of Investigation to catch the hacker responsible for the attack.

Sony, which was told today by the Japanese government to do more to prevent data breaches, said in the letter it has enhanced network security with new intrusion detection methods, firewall protections and application testing.

Sony to Testify

The Sony intrusion followed a March 30 breach at Alliance Data System Corp.’s Epsilon Data Management LLC that resulted in the theft of customer data from banks including Citigroup Inc. and JPMorgan Chase & Co., as well as retailers Best Buy Co. and Walgreen Co.

Sony and Epsilon have agreed to testify at a June 2 hearing on data security chaired by Bono Mack, her spokesman Ken Johnson said. Tim Schaaff, president of Sony Network Entertainment International, and Jeanette Fitzgerald, Epsilon’s general counsel, will appear as witnesses, Johnson said.

Both companies declined to take part in a May 4 data-theft hearing chaired by Bono Mack.