Sony believes the recent security breach it suffered, wherein at least 77-million user records may have been compromised, was the work of a targeted attack by the “Anonymous” Internet vigilante group.
However, the group, which was responsible for temporarily shutting for the Mastercard and Visa sites recently, says in a YouTube statement that it wasn’t involved in the online hack – although it did launch a denial of service attack against Sony some weeks before.
Anonymous is a cyber group that uses tools available for free over the Internet. The denial of service attacks on the credit card companies were to block payments to WikiLeaks while the Sony attack was apparently in protest against Sony defending itself against a hacker in court.
Yesterday Kazuo Hirai, chairman of the Sony board, submitted written answers to questions posed by the US House of Representatives subcommittee about the cyber-attack the company has experienced.
In his submission, Hirai said: “Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.
“We discovered that the intruders had planted a file on one of our Sony Online Entertainment servers named ‘Anonymous’ with the words ‘We are Legion’.
Although the attacks took place between 17 and 19 April, Hirai says that it was only on 25 April that forensic teams were able to confirm the scope of the personal data they believed had been taken, although they couldn’t rule out whether credit card information had been accessed. On 26 April, customer were notified.
Sony comments that the major credit card companies have not, as yet, reported any fraudulent transactions that they believe are the direct result of this cyber attack.
The company says it is taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorised access and unusual activity patterns; additional firewalls; establishment of a new data centre in an undisclosed location with increased security; and the naming of a new chief information security officer.