Sony: DDoS Masked Data Exfiltration

Lawmaker Criticizes Sony for How It Notified Customers of Breach
Sony: DDoS Masked Data Exfiltration
The board chairman of Sony Computer Entertainment America, in a letter to Congress released Wednesday, said distributed denial of service attacks crippling its PlayStation gaming network and Qriocity music service last month camouflaged simultaneous intrusions that resulted in the exposure of personal identifiable information, including credit card information, from tens of millions of customers' accounts (see Sony Breach Ignites Phishing Fears).

"Our security teams were working very hard to defend against denial of service attacks, and that may have made it more difficult to detect the intrusion quickly, all perhaps by design," Kazuo Hirai wrote Reps. Mary Bono Mack, R-Calif., and G. K. Butterfield, D-N.C., chair and ranking member of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade, about the breach.

Hirai said the sheer sophistication of the intrusion and the attackers exploiting a system software vulnerability made detection difficult.

In the letter, Hirai revealed that Sony detected unauthorized activity in its network system the afternoon of April 19, a week before it officially notified customers. Hirai explained the delay, in part, in retaining the forensics expertise from at least three firms to pinpoint exactly what happened. The Sony unit's general counsel provided the FBI with information on the intrusion on April 22, but didn't meet with law enforcement representatives until April 27. Sony notified regulatory authorities of the breach in Maryland, New Hampshire and New Jersey on April 26 and Hawaii, Louisiana, Maine, Massachusetts, Missouri, New York, North Carolina, South Carolina, Virginia and Puerto Rico the next day.

The letter was released at a previously scheduled subcommittee hearing on breach notification in which Sony was invited to testify but declined, to the irritation of some panel members. Bono Mack griped that the first word of the breach came on a company blog: "That's right. A blog. I hate to pile on, but - in essence - Sony put the burden on consumers to search for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future."

A follow-up blog posted Wednesday by Patrick Seybold, Sony senior director of corporate communications and social media, said Sony informed the committee that hackers had planted a file named "Anonymous" with the words "We are Legion." "Anonymous" is a confederation of hackers who launched denial of service attacks against MasterCard, Visa, PayPal, Amazon and other sites in support of WikiLeaks (see Wikileaks' Defense: The DDoS Attack). Published reports said "Anonymous" denied being involved in the Sony attacks.

Hirai said forensics investigators determined the intruders used highly sophisticated and aggressive techniques to obtain unauthorized access, hide their presence from system administrators and escalate privileges inside the servers. "The intruders deleted log files in order to hide the extent of their work and activity within the network," the chairman wrote.

Forensic analysis couldn't determine if credit-card information was transferred to the hackers from the Sony network, Hirai said. "We know that for other personal information contained in the account database, the hacker made queries to the database, and the external forensics teams have seen large amounts of data transferred in response to those queries," he wrote. "Our forensic teams have not seen queries and corresponding data transfers of the credit-card information."

Major credit-card companies have not told Sony of any fraudulent transaction resulting fro the intrusions, Hirai said, adding that 12.3 million account holders had credit-card information on the PlayStation network, including 5.6 million from the United States. These numbers include active and expired credit cards.

Hirai said Sony is taking a number of steps to prevent future breaches, including enhanced levels of data protection and encryption; enhanced ability to detect software intrusions, unauthorized access and unusual activity patterns; additional firewalls; establishment of a new data center in an undisclosed location with increased security; and the naming of a chief information security officer (see Breach Gets Sony to Create CISO Post).

The fact that Sony had to notify regulators in various states is behind calls for a national data breach notification law. Bills to nationalize data breach regulations have failed to be enacted in the past two Congresses, but Bono Mack said she plans to introduce such legislation shortly.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network