Sony, Epsilon Are No-Shows Before Congress

Sony executives were absent today as members of a House committee took turns lambasting the company for the way it handled breaches of its Sony PlayStation Network and Sony Online Entertainment, breaches that exposed personal data of more than 100 million consumers.

In a letter submitted to to the House Subcommittee on Commerce, Manufacturing, and Trade, the company said it is a victim in the scheme, not the perpetaror.

Sony "has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyberattack designed to steal personal and credit card information for illegal purposes," said Sony Computer Entertainment chief Kaz Hirai.

But lawmakers blasted Sony for its slow response to the beaches, which committee chair Mary Bono Mack (R.-Calif.) called “half-hearted, half-baked” and also blasted Epsilon, the email marketing firm that lost control of millions of consumers' names and email addresses last month. Epsilon had also been invited to testify at today's hearing but did not bother to show up.

“I am deeply troubled by these latest data breaches, and the decision by both Epsilon and Sony not to testify today. This is unacceptable,” Bono Mack said. She said Epsilon claims it “did not have time to prepare for our hearing — even though its data breach occurred more than a month ago. Sony, meanwhile, says it’s too busy with its ongoing investigation to appear. Well, what about the millions of American consumers who are still twisting in the wind because of these breaches? They deserve some straight answers, and I am determined to get them.”

In the letter, Hirai concedes that, although Sony first learned of the PlayStation Network breach on April 19, it did not shut down the network until the next day and did not inform users until six days later that their personal information and possibly credit card account numbers had been compromised.

Bono Mack noted that the company first disclosed the data breach on a company blog, “putting the burden on consumers to search for information instead of accepting the burden of notifying them.”

Unpatched

Sony and Epsilon also took heat from academicians and computer scientists who pointed to weak spots in the companies' security.

Dr. Gene Spafford of Purdue said key parts of Sony's PlayStation Network ran on Apache servers that "were unpatched and had no firewall installed." This was reported in a forum known to be frequented by Sony employees, he said, though no changes were made in the months leading up to the attack.

The Federal Trade Commission noted that it has been asking Congress to give it civil penalty authority to go after companies that lose data through carelessness; in the last 10 years, the FTC has brought cases against 34 such companies, though it is currently limited in the penalties it can seek.

“Data security is of critical importance,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “If companies do not protect the personal information they collect and store, that information could fall into the wrong hands, resulting in fraud and other harm, and consumers could lose confidence in the marketplace.”

The FTC is committed to a comprehensive, three-pronged effort to promote data security that includes law enforcement, consumer education, and data collection and analysis, Vladeck said. Since 2001, the agency has brought 34 cases against businesses that allegedly failed to protect consumers’ personal information, including two cases earlier this week involving Ceridian and Lookout Services, Inc.

Bono Mack was not the only lawmaker sharpening her pencil.

Rep. G.K. Butterfield (D.-N.C.), the commerce panel's ranking member, called it "alarming" that more than 100 million customers' personal details were compromised in the hack. Rep. Henry Waxman (D.-Calif.) said "companies have an obligation to inform those individuals whose information was lost or stolen."