In a letter to a House panel, Kazuo Hirai, chairman of Sony Computer Entertainment America, said that the company realized on April 20 that an “unauthorized intrusion had occurred and that data of some kind had been transferred off of the PlayStation Network servers without authorization.”
Yet, Sony did not notify the public and regulatory authorities in some US states until April 26. The following day, Sony notified additional regulatory authorities and briefed the FBI on the data breach.
Hirai explained that the reason for the delay was the complexity of the PlayStation Network and the need to complete a thorough investigation into the breach.
“Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence”, he said.
Responding to Sony’s decision not to appear before the House Commerce Committee’s subcommittee on commerce, manufacturing, and trade, Chairman Mary Bono Mack (R-Calif.) said that Sony “says it’s too busy with its ongoing investigation to appear [before the committee]. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them.”
Bono Mack criticized Sony for the delay in informing its customers of the data breach and the manner of notification through its blog. “I hate to pile on, but – in essence – Sony put the burden on consumers to 'search' for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future.”
In its letter, Sony explained that it had taken a number of steps to prevent future breaches: adding automated software monitoring and configuration management to help defend against new attacks, enhancing data protection and encryption, enhancing its ability to detect software intrusions within the network, implementing additional firewalls, moving servers to a new data center with enhanced security, and naming a new chief information security officer reporting directly to the Sony chief information officer.