In a letter to the U.S. House of Representatives on Wednesday, Sony said a file named “Anonymous,” containing the words “We Are Legion,” was left behind by the intruders who gained access to the servers of Sony Online Entertainment, the company’s game development and distribution arm. The intruders in that breach compromised information on 24.6 million users, as well as 20,000 credit card and bank account numbers.
Sony discovered the SOE breach on Sunday while investigating an earlier attack that compromised information on 77 million accounts from Sony’s PlayStation Network and Qriocity services in April. Anonymous has not been linked to the PlayStation Network breach — the first one detected. However, Sony noted that both breaches took place in the same time frame, which also corresponded with a denial-of-service campaign launched by Anonymous in retaliation for Sony’s lawsuit against PlayStation tinkerer George Hotz.
Members of the House Committee on Energy and Commerce held a hearing Wednesday to address the subject of data theft and its potential impact on consumers. Sony Computer Entertainment CEO Kaz Hirai did not attend, but sent written responses to the House Subcommittee on Commerce, Manufacturing and Trade. Sony summarized the content of Hirai’s letter on its official PlayStation blog, saying that it had suffered from a “very carefully planned, very professional, highly sophisticated criminal cyberattack.”
Sony said it knew how the intrusion was accomplished, but not who was responsible.
Photocopies of the letter were also made available. The letter details the company’s actions over the past two weeks and says Sony acted with “care and caution” while deciding how to act and when to inform companies of the security breach, .
On the afternoon of April 20, Sony first discovered evidence of an unauthorized intrusion, the company said in the letter. It then took down the PlayStation Network servers.
Over the next five days, the company hired multiple security firms and forensic teams to determine the scope of the breach. On April 25, Sony found that hackers could have obtained personal information for 77 million PSN accounts, and it informed customers of the breach on the following day.
Sony did not inform customers prior to April 26, because it did not want to “cause confusion and lead [customers] to take unnecessary actions,” the company said.
Major credit card companies have still not reported any fraud that they believe is directly related to the attack, Sony said, adding that 12.3 million customers had credit card information stored on the PlayStation Network, including 5.6 million in the United States. Sony says those credit card numbers were stored encrypted.
Sony added on Monday that its Sony Online Entertainment services had also been affected by the hack, and that hackers may have obtained personal information for its 24.6 million users. As of Wednesday, the company’s Facebook and other online game services have not been taken back online.
Sony said it plans to bring some of PlayStation Network’s services back up this week. As a goodwill gesture, customers will receive 30 free days of PlayStation Plus as well as a variety of free downloads.