Sony’s efforts on PSN breach called “half-hearted, half-baked,” at US Congressional hearing
Today, the US House Subcommittee on Commerce, Manufacturing and Trade held a hearing regarding the PSN breach, which was broadcasted live via C-SPAN., like most meet-ups between government officials. During the hearing, Representative and Chairman of the committee, Mary Bono-Mack, called Sony’s response to the matter “half-hearted,” and “half-baked.”
“In Sony’s case, company officials first revealed information about the data breach on their blog,” said Bono-Mack during the hearing (via Industry Gamers). “That’s right. A blog. I hate to pile on, but—in essence—Sony put the burden on consumers to ‘search’ for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.
“For me, the single most important question is simply this: Why weren’t Sony’s customers notified sooner of the cyberattack? I fundamentally believe that all consumers have a right to know when their personal information has been compromised, and Sony – as well as all other companies—have an overriding responsibility to alert them… immediately.”
The hearing was set to discuss the risk to consumers over the PSN data breaches, how the current investigation was going, what the current industry data security practices are comprised of along with how they can be changed, and what, if anything, can be used technologically to stop beaches like this in the future.
Not only was Sony being discussed, but also recent data breaches from Epsilon and ChoicePoint were pondered during the hearing as well.
Sony was not involved with the hearing, as it stated yesterday it was currently still involved in the investigation, but planned to comply with the deadline set by the hearing committee in answering all questions posed to it. This response, was posted earlier by Sony via its official PS Blog, and in it the firm blamed hacker group Anonymous for the recent security breach.
According to Sony, it found a file called Anonymous in its system files with the phrase “We Are Legion” attached to it.
“[Sony and Epsilon] must shoulder some of the blame for these stunning thefts, which shake the confidence of everyone who types in a credit card number and hits ‘enter’,” said Bono-Mack. “As Chairman of this Subcommittee, I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable.
“According to Epsilon, the company did not have time to prepare for our hearing—even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them.”
The need to protect consumers via federal notification laws was also discussed, and if drafted and passed, it would make it a federal law for companies to notify consumers immediately should such a security breach occur again. Currently, laws such as this vary from state to state, with some not having a law on the matter present on the books at all.
Witnesses participating the hearing included: David Vladeck, director of the Federal Trade Commission’s Bureau of Consumer Protection along with Pablo Martinez, deputy special agent in charge of criminal investigations at the United States Secret Service.
Consumer advocate Justin Broookman and Technology and information security expert Eugene Spafford of Purdue University also participated.
PlayStation Network breach details are continuing to come out thanks to the congressional hearing today, in which Rep. Mary Bono Mack and others on the subcommittee ripped into both Sony and data firm Epsilon for their poor handling of the situation. One of the most startling revelations to come from the hearing is that several key parts of Sony's network didn't even have firewall protection.
Dr. Gene Spafford, a professor of computer science at Perdue University since 1987 and an expert in information security (he's the editor of the oldest journal in the field of information security), was part of a panel that provided testimony on just how terribly weak Sony's system was. Spafford pointed out that numerous weaknesses in Sony's system actually became evident via security mailing lists a considerable time (read: months) before the breach occurred.
Worse yet, Spafford noted that key parts of PSN actually ran on Apache servers that "were unpatched and had no firewall installed." He said that this was known because of comments in a forum frequently visited by Sony employees.
Bottom line: if the severe network weaknesses were known months in advance and Sony made no attempts to enhance the security of their systems, even as major threats were being made publicly by Anonymous, then Sony looks highly culpable for negligence in this fiasco.