WASHINGTON (AP) — The data breach of Sony's PlayStation Network resulted from a "very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes," a Sony executive said.
In a letter to members of the House Commerce Committee released Wednesday, Kazuo Hirai, chairman of Sony Computer Entertainment America LLC, defended the company's handling of the breach.
Sony first disclosed the breach last week. It said the attack may have compromised credit card data, email addresses and other personal information from 77 million user accounts. On Monday, Sony said data from an additional 24.6 million online gaming accounts also may have been stolen.
The company has shut down the affected systems while it investigates the attacks and beefs up security. Hirai said Sony is working "around the clock to get the systems back up and to make sure all our customers are informed of the data breach and our responses to it."
Addressing criticism that the company waited too long to inform customers, Hirai said Sony waited until it had a solid understanding and confirmation of the extent of the attack and its implications.
"Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence," he wrote.
Although Sony began investigating unusual activity on the PlayStation network on April 19, it did not notify consumers of the breach until April 26.
Hirai's letter said the company does know who is responsible for the attack and is working with outside security and forensics consultants and the Federal Bureau of Investigation on an inquiry.
The letter also noted that the hack came on the heels of denial of service attacks launched against several Sony operations and threats made against Sony and its executives in retaliation for complaint filed by the company against a hacker in U.S. District Court in San Francisco.
The letter said Sony may not have immediately detected the PlayStation breach in part because its security teams were busy trying to defend against the denial-of-service attacks.
"Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know," Hirai wrote.
Hirai was one of three Sony executives who bowed in apology for the data breaches for several seconds at the company's Tokyo headquarters on Sunday.
His letter was in response to an inquiry by Rep. Mary Bono Mack, R-Calif., who chairs the House Commerce Subcommittee on Commerce, Manufacturing and Trade, and Rep. G.K. Butterfield of North Carolina, the subcommittee's top Democrat.
Sony officials had been invited to testify at a subcommittee hearing on data breaches held Wednesday, but did not appear.
One witness, David Vladeck, director of Federal Trade Commission's bureau of consumer protection, used his testimony to call for legislation that would require companies to implement reasonable data security policies and procedures, and notify consumers in the event of a breach.