After implementing "a variety of new security measures to provide greater protection of personal information," Sony has announced that it will begin a phased restoration of its PlayStation Network and Qriocity.
The services were shut down following a criminal cyberattack on the company’s San Diego data center last week. The company says it has since consulted with multiple expert information security firms and conducted an extensive audit of the system.
On Wednesday, a subcommittee of the U.S. House of Representatives Committee on Energy and Commerce held a hearing in Washington, D.C., on “The Threat of Data Theft to American Consumers.” Kazuo Hirai, chairman of the board of directors of Sony Computer Entertainment America, submitted written answers to questions posed by the subcommittee about Sony's cyberattack. Hirai defended Sony's response to the attack and communicating its possible repercussions to consumers.
"Sony Network Entertainment America is committed to helping its customers protect their personal data and will offer its U.S. account holders complimentary identity theft protection services," Hirai wrote. "Because the breach affects customers worldwide, different programs may be offered in other territories."
Hirai also outlined other security measures Sony implemented in response to the attack. For example, Sony has created a chief information security officer position that the company says will provide accountability for customer data protection and supplement existing information security personnel.
Other security measures implemented by Sony include:
- Added automated software monitoring and configuration management to help defend against new attacks.
- Enhanced levels of customer data protection and encryption.
- Enhanced ability to detect software intrusions within the network, unauthorized access and unusual activity patterns.
- Implementation of additional firewalls.
The company has expedited an already planned move of the system to a new data center in a different location that has been under construction and development for several months. PlayStation 3 will also have a forced system software update that will require all registered PlayStation Network users to change their account passwords before being able to sign into the service. That password can be changed on only the same PS3 in which that account was activated, or through validated email confirmation, in an effort to help further customer data protection.
"While there is no evidence at this time that credit card data was taken, the company is committed to helping its customers protect their personal data and will provide a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs," according to a Sony statement. "The implementation will be at a local level and further details will be made available shortly in each region."
During a data theft hearing held by the Subcommittee on Commerce, Manufacturing, and Trade on Wednesday, Chairman Mary Bono Mack blasted Sony's response to the breach and the company's lack of attendance at the hearing.
"With 77 million accounts stolen -- including some 10 million credit card numbers -- the data breach involving Sony’s PlayStation Network has the potential to become the ’Great Brink’s Robbery‘ of cyberattacks," Bono Mack said during her opening statement.
Delayed response to data breach criticized
Bono Mack also called for additional safeguards for protection of personal information, and promised to introduce legislation to accomplish this goal. She added the guiding principle of any legislation should be that consumers be promptly informed when their personal information has been jeopardized.
Sony ... is committed to helping its customers protect their personal data.
Kazuo Hirai, chairman of the board of directors, Sony Computer Entertainment America
"Why weren't Sony’s customers notified sooner of the cyberattack?" Bono Mack asked. "I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony -- as well as all other companies – have an overriding responsibility to alert them immediately."
Responding to the criticism for waiting to inform consumers of the breach, Hirai said Sony understands its obligation to report its findings to consumers if specific personal information could have been compromised.
However, the company was concerned that announcing partial or tentative information could cause confusion and lead to "unnecessary actions," he said.
"For example, as of April 25, 2011, Sony had not and could not determine if credit card information had been accessed and, while no evidence existed at the time that this type of information had been taken, we ultimately could not rule out that possibility entirely based on the reports of computer forensics teams," Hirai wrote in his letter.
Also this week, two lawsuits were filed against Sony in response to the data breach. A Canadian law firm announced it is seeking a $1 billion class action lawsuit against Sony, claiming a breach of privacy. Another suit filed in U.S. District Court accused the company of "negligence in data security."
Let us know what you think about the story; email Ben Cole, Associate Editor.