Sony alleges Anonymous involvement in PSN outage

UPDATE

Anonymous has issued a press statement denying any involvement with the theft of credit card details form Sony's servers, although it doesn't go as far as to distance itself from the denial of service attacks which Sony claims weakened its defences enough to allow hackers access.

The hacktivist collective issued a letter in response to Sony mentioning the group in a letter to a US congress hearing, as reported below. The full press release from Anonymous can be read here.

Original story

Sony has intimated that loose hacking collective Anonymous may be involved in the PSN security breach currently engulfing the company, after revealing that investigators found a file bearing the group's name and motto on a hacked server.

In a lengthy letter to the US congressional hearing currently taking place on recent digital security breaches, SCEA president Kaz Hirai addressed several issues raised by the committee and appeared to link the recent attacks to Anonymous.

Hirai's letter states that on Sunday, investigators had discovered "that the intruders had planted a file on one of our Sony Online Entertainment servers named 'Anonymous' with the words 'We are Legion.'"

That epithet has appeared on several of Anonymous' communications and press releases and is considered to be something of a calling card. Hirai went on to point out that, only shortly before the most recent attack, Anonymous had claimed responsibility for a denial of service attack on Sony in protest at the company's prosecution of George 'Geohot' Hotz.

I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.

Mary Bono Mack, chair of the Subcommittee on Commerce, Manufacturing, and Trade

"Just weeks before, several Sony companies had been the target of a large-scale, coordinated denial of service attack by the group called Anonymous," wrote Hirai. "The attacks were coordinated against Sony as a protest against Sony for exercising its rights in a civil action in the United States District Court in San Francisco against a hacker."

The letter is a response to a congressional request for answers to thirteen questions regarding the breach, one of which asks directly whether Sony has identified the culprits. Hirai's answer was "no".

Elsewhere, Hirai attempted to explain what many have seen as a tardy reaction to the crisis, particularly the delay in informing customers about the potential theft of important details.

"I am of course aware of the criticism Sony has received for the time taken to disclose information to our customers. I hope you can appreciate the extraordinary nature of the events the company was facing. brought on by a criminal hacker whose activity was neither immediately nor easily ascertainable. I believe that after you review all the facts you will agree that the company has been acting in good faith to release reliable information in accordance with its legal and ethical responsibilities to its valued customers.

"We have been investigating this intrusion around the clock since we discovered it, and that investigation continues today. Just this past Sunday, May 1st, we learned that a likely theft from another Sony company's online service had previously gone undetected, even after highly trained technical teams had examined the network infrastructure that had been attacked around the same time as the PlayStation Network.

"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes. Sunday's discovery that data had been stolen from Sony Online Entertainment only highlights this point."

However, Hirai's attempts at ameliorating the concerns of the congressional hearing fell upon the relatively deaf ears of Rep. Mary Bono Mack, chair of the Subcommittee on Commerce, Manufacturing, and Trade. Apparently unsatisfied with Sony's excuses for not attending the hearing, Bono Mack called the response to the crisis "half-hearted and half-baked".

"[Sony and Epsilon] must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits 'enter'," sister site Industry Gamers reports Bono Mack as saying.

"As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable."

"According to Epsilon [another company which suffered a recent security breach], the company did not have time to prepare for our hearing - even though its data breach occurred more than a month ago. Sony, meanwhile, says it's too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them..."

"Yet for me, the single most important question is simply this: Why weren't Sony's customers notified sooner of the cyber attack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony - as well as all other companies-have an overriding responsibility to alert them... immediately."

"In Sony's case, company officials first revealed information about the data breach on their blog. That's right. A blog. I hate to pile on, but - in essence - Sony put the burden on consumers to 'search' for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."

Read Hirai's full letter to the hearing elsewhere on GamesIndustry.biz