The worldwide hacker group Anonymous may have played a role, even unwittingly, in the theft of personal data from 77 million Sony PlayStation Network customers, according to a letter from Sony's chairman to a Congressional committee.
Forensics teams have tracked the attack that netted the information to a file named "Anonymous" on an internal Sony server including the words "We are Legion", which is part of the hacker group's motto.
"Just weeks before, several Sony companies had been the target of a large scale, coordinated denial of service attack by the group called Anonymous," says Kazuo Hirai, Sony's chairman, in the letter.
That attack and the threat of more had Sony network security staff focused on DDoS defence, which might have distracted them from discovering the breach earlier, the letter says, "perhaps by design."
"Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped in to providing cover for a very clever thief, we may never know. In any case, those who participated in the denial of service attacks should understand that - whether they knew it or not - they were aiding in a well planned, well executed, large scale theft that left not only Sony a victim, but also Sony's many customers around the world."
Anonymous earlier issued a statement that it wasn't responsible, but acknowledged that individual members might have acted independently to break in and steal the data.
The letter to Congress was prompted by a set of questions sent from a Congressional committee to Sony seeking information about the breach, how it happened and what Sony was doing about it.
The letter says that the attackers exploited a software vulnerability in one of the applications in the network that supports PlayStation Network, the online gaming site for Sony PlayStation customers.
The network consists of 130 servers, 50 software programs and 77 million registered accounts, the letter says. In all, Sony came to believe 10 of those servers had been compromised.
The letter says Sony knows the personal data was compromised because it found records of queries being made for it and large data transfers being made out in response. There were no logs of request for credit card information or corresponding outbound transfers, which is why Sony says credit card information might have been compromised but it just doesn't know.
"Among other things, the intruders deleted log files in order to hide the extent of their work and activity within the network," the letter says, which led Sony to conclude that "very sophisticated and aggressive techniques to obtain unauthorised access, hide their presence from system administrators, and escalate privileges inside the servers" had been used.
"At the same time that the experienced attackers were carrying out their attack, they also attempted to destroy the evidence that would reveal their steps."
The company says it has taken six steps to prevent future breaches:
- Added automated software monitoring and configuration management to help defend against new attacks
- Enhanced levels of data protection and encryption
- Enhanced ability to detect software intrusions within the network, unauthorised access and unusual activity patterns
- Implementation of additional firewalls
- Expediting a planned move of the system to a new data centre in a different location with enhanced security
- Naming of new chief information security officer directly reporting to the chief information officer of Sony Corp
To make up to its customers, Sony plans to offer US members complementary identity theft protection services.
It is creating a Welcome Back program including selected PlayStation entertainment content for free. All consumers returning to PSN will get 30 days free membership in PlayStation Plus premium subscription service. Current PlayStation Plus customers will have subscriptions extended for the number of days PSN and Qriocity services were unavailable and get an additional 30 days of free service, Sony says.