PlayStation Network Hack Questions Linger Even After Long Sony Q-and-A

Why Sony can’t say for sure whether credit card data was breached was one of 13 questions that the U.S. House Commerce Manufacturing Subcommittee leadership posed to Sony Deputy President Kazuo Hirai in a letter late Friday that requested answers within a week. The subcommittee scheduled a hearing for Wednesday to probe the threat of data theft to U.S. consumers, including the PSN breach. “Given the amount and nature of the personal information known to have been taken” in the PSN hack, “the potential harm that could be caused if credit card information was also taken would be quite significant,” said the letter, signed by Subcommittee Chair Mary Bono Mack, R-Calif., and its ranking member, G.K. Butterfield, D-N.C. The letter was addressed to Hirai at Sony Computer Entertainment America offices in Foster City, Calif.

At the news conference, which Sony streamed live in Japanese and translated into English, Hirai said he personally hadn’t received the letter from Mack and Butterfield but that Sony had downloaded it and was reviewing it. “We're trying our best to respond to the questions in good faith and in the most sincerest manner,” Hirai said. He didn’t say at the time whether he or other Sony representatives planned to appear at the subcommittee’s hearing.

But Sony refused to testify at the hearing because of the company’s ongoing investigation, Bono Mack spokesman Ken Johnson told us. The subcommittee insisted instead that Sony respond to their Friday letter before the hearing, Johnson said, and Sony has agreed to cooperate and provide answers by close of business Tuesday. While the hearing will tackle data theft issues broadly, the emphasis will be the recent PSN and Epsilon data breaches, Johnson said.

While Sony won’t appear, FTC and U.S. Secret Service officials are scheduled to testify at Wednesday’s hearing, according to a subcommittee majority memo. Witnesses are David Vladeck, director of the FTC Consumer Protection Bureau, and Pablo Martinez, deputy special agent in charge of the Secret Service Criminal Investigative Division. Justin Brookman, director of the Center of Democracy and Technology’s Consumer Privacy Project, and Purdue University Center for Education and Research in Information Assurance and Security (CERIAS) Executive Director Gene Spafford are scheduled to testify on a second panel at the hearing. Additional witnesses may be added, the memo said. The hearing is at 9:30 a.m. in Room 2322, Rayburn House Office Building.

A forthcoming data security bill announced last week by Bono Mack will be based on legislation introduced last year (HR-2221, 111th Congress) by Rep. Bobby Rush, D-Ill., the majority memo said. Before introducing, Bono Mack plans to collect “comments through Subcommittee oversight and a relevant stakeholder process,” the memo said. Johnson said to expect some changes to the bill reflecting the PlayStation incident and what the subcommittee learns at Wednesday’s hearing. Rush, the former chairman of the subcommittee, said last week he planned to reintroduce HR-2221. Bono Mack hopes Rush will work with her, and she also plans to work with Butterfield, the subcommittee’s ranking Democrat, Johnson said. Rush and Bono Mack aren’t currently working together on one bill, but it’s likely “collaboration will take place as the work ensues to reconcile the House bills with the Senate side,” a Rush spokeswoman told us.

The upcoming House data security bill dates back to the 109th Congress, when Rep. Cliff Stearns, R-Fla., introduced the Data Accountability and Trust Act. It was reported out of the committee, but didn’t move to the House floor. Rush reintroduced the bill in the 110th Congress, but it saw no committee action. Rush revived it again, with amendments, in the 111th Congress. The House passed HR-2221 by voice vote but the measure stalled in the Senate.

Sony thinks credit card information may not have been stolen because there’s “no trace that the hacker went to read that part of the database,” Chief Information Officer Shinji Hasejima told reporters at the Tokyo news conference. Hirai again repeated that there’s “no evidence” credit card information had been taken, but that Sony couldn’t rule it out. However, Sony has confirmed that three- and four-digit credit card ID verification codes were “not compromised,” Hirai said. Hirai, with prompting from Hasejima, said credit card data in Sony’s possession were encrypted, so were less prone to hacking than passwords, which were not encrypted. Minutes later, Hasejima corrected himself to say passwords, though not encrypted, were cryptographically “hashed.” There’s “a difference between these two types of security measures, which is why we said the passwords had not been encrypted,” spokesman Patrick Seybold said Monday on a PlayStation Blog posting. “But I want to be very clear that the passwords were not stored in our database in cleartext form."

Of the 78 million PSN accounts in the system, only 10 million are linked to a credit card, Hirai said. The rest are paid for through prepaid “wallets,” or through “e-money” transfers, he said. Sony knows of no reports of credit card fraud resulting from the PSN hack, he said. Sony will “consider” paying PSN customers’ credit card reissue fees for those who “wish to” cancel their credit cards and get new ones, Hirai said. Later in the Q-and-A, he called possible PSN-related credit card fraud a “hypothetical” problem, saying Sony would try to help those “damaged” on a “case-by-case basis."

The breach occurred at an AT&T service center in San Diego, Hirai said. Sony Network Enterprises (SNE) leases space at the center and “manages the servers,” he said. AT&T spokesman Mark Siegel confirmed the leasing arrangement, which means it supplies SNE with power and Internet connectivity at the facility, nothing more. “We had nothing to do with this situation,” Siegel told us of the PSN hack. Hasejima said the “skillful” hacker entered the system through “a known vulnerability” in San Diego’s “Web application server.” But SNE officials knew nothing about the vulnerability before the attack, he said. Sony didn’t respond right away for comment how the vulnerability was known, but not to SNE executives.

Sony reported the crime to the FBI because of the San Diego jurisdiction, Hirai said. When asked whether the company had contacted authorities in other countries, Hirai answered no, but that other countries had made “inquiries” of Sony, which Sony was responding to on a case by case basis. Later in the Q-and-A, Hasejima said the inquiries sought Sony’s cooperation in hacking investigations being conducted in individual countries.

Hirai was asked if the PSN breach might delay introduction of the Sony Tablets and the “NGP,” the codenamed successor to the PSP. “Those products hinge upon the security” of the PSN, he said. Sony’s goal is to “regain the trust and confidence of users” in preparing to introduce products that make use of the PSN “roadmap,” he said. “I plan to travel on that roadmap in the days ahead.” When pressed to say whether that meant Sony Tablets and NGP would be delayed, Hirai said there was “no change in details” from what Sony previously has announced.

Sony has been victimized in the last month and a half by the Internet group called “Anonymous,” Hirai said. Sony doesn’t know whether those attacks are related to the PSN breach, he said. The attacks threatened to expose personal information about top Sony executives, including where their kids go to school, he said. The Anonymous attackers also have threatened “protest sit-ins at Sony stores across the world,” he said. Anonymous has disavowed responsibility for the PSN hack but has said its attacks on Sony were to retaliate against the company for prosecuting a PS3 hacker. When asked by a reporter why he raised the subject of Anonymous, Hirai said he had mentioned it for “background” only and that he didn’t mean to “imply” that Anonymous was behind the PSN breach.

Other Sony disclosures: (1) Sony estimates the company’s offer of 30 days of free PSN downloads and other incentives to win back consumers’ goodwill will cost an average of $15-$20 in free services, Hirai said. But Sony is “not in a position” to say what kind of financial hit it will take from the PSN breach because there are too many variables at play, including lost sales, he said. (2) In the past, users could leave PSN once their prepaid “wallets” were spent, Hirai said. Now, Sony “is looking into details” how to refund customers who want out of the PSN service if they still have cash balances on their wallets, he said. (3) Though Sony said it plans to begin restoring PSN services region by region in about a week, full services, such as purchases through the PlayStation Store, may not be reactivated for a month, the company said.