Sony data breach: Kaz writes to congress, and the impact of the outage on SOE

Another rough day for Sony, yesterday, as the company failed to appear at a congressional hearing to investigate the recent data breach. According to BusinessInsider, Rep. Mary Bono Mack (R-CA), chair of the Subcommittee on Commerce, Manufacturing and Trade, had a field day tearing into the company unopposed.

Bono Mack is quoted as saying (in regards to Sony's failure to appear) "Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them..."

Which is pretty funny, given that Sony Chairman of the Board Kaz Hirai penned an 8 page letter to Bono Mack and Ranking Member G.K. Butterfield, answering a bunch of questions posed to the company. Sony also posted images of the letter on a Flickr account. It's an interesting read; I wonder if Bono Mack bothered to read it of if she was just out there trying to win votes, because there are a lot of straight answers in that letter. Sony also posted the Cliff Notes of the letter on their blog.

Sony' explains that gap between their first evidence of intrusion (when a couple of server rebooted for no apparent reason) to when they first started alerting users of the loss of data. Essentially this is a more detailed explanation of what Sony has already said: that it took a few days before they were confident data had been stolen, and the company was "...very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence." (pages 4 & 5 of the letter).

They also mention that it took several days to mirror the servers; something that needed to be done before the outside security teams could start the analysis. This step wasn't completed until April 22nd. If you've ever waited for a basic backup to complete, you ought to have some inkling of how long it might take to do a complete, sector by sector replication of a bunch of hard drives.

The biggest question, to my mind, still concerns credit card numbers. Sony has stood by its line of having no evidence that credit card data was stolen, but not being totally sure this is the case. When asked about this, Sony said that they knew the hacker queried the database to get personal data, and they had evidence of large amounts of data transferred as a result of those queries, but they've yet to uncover any evidence of queries run against the database that holds encrypted credit card data (page 6). That begs the question of how you ever prove something that isn't there. How long do you look for evidence before you say "The card data definitely wasn't stolen." It sounds to me like Sony is being very careful about not promising anything with regard to credit card numbers.

Anyway, read the letter if you have time. It's interesting. And to Rep Bono Mack; thanks very much for your concern, but I am most assuredly not "twisting in the wind." Hyperbole helps no one in a situation like this one.

In the meanwhile, the Playstation Network is still down, which is bad, but Sony Online Entertainment's services are still down, too, which is disastrous. PS3 owners can still play offline titles and anyway moving to a competing platform (Xbox 360, most likely) is a relatively expensive proposition (new console, new games, new extra controllers, Xbox Live membership). But for SOE's MMO gamer audience, having their games down a great incentive for these customers to try, generally for free, a competing game. For every day these players spend leveling-up in another game, the chance they'll stay away when the SOE games come back online increases.

Remember, SOE laid off a third of its staff at the end of March. Clearly this isn't a company that can afford to lose any customers, but I fear it'll lose many. The last report I've heard says SOE games won't be back online until Friday at the earliest. SOE has already said they'll give everyone a free month of service, plus another day for each day the service is offline, but I'm wondering if that'll be enough.

It's starting to feel like the crackers "won" this battle, assuming the intent was to 'punish' Sony for its behavior towards the hacker community.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon