Sony Corp. president Howard Stringer has personally apologized for a massive breach of customers' personal information in a cyberattack and promised identity theft insurance for affected customers.
"As a company we — and I — apologize for the inconvenience and concern caused by this attack," Stringer said in a post on Sony's PlayStation blog Thursday afternoon. "We are absolutely dedicated to restoring full and safe service as soon as possible and rewarding you for your patience. We will settle for nothing less."
He added that Sony had launched a program to provide U.S. customers affected by the breach with an identity theft insurance policy worth $1 million per user, and similar announcements for customers in other countries would be coming soon. However, he added that there is "no confirmed evidence any credit card or personal information has been misused."
While Sony Computer Entertainment president Kazuo Hirai and two other executives from that subsidiary had made a public apology at a news conference on May 1, Thursday's blog was Stringer's first statement about the cyberattack that resulted in a data breach affecting more than 100 million customers of:
- The Sony PlayStation Network, which allows users to play online games, surf the web, chat with friends and download games and other content from the PlayStation store using their PlayStation 3 consoles.
- The Qriocity entertainment service, which streams movies on demand to compatible Sony devices such as HDTVs and Blu-ray players for a monthly fee.
- Sony Online Entertainment, which offers massively multiplayer online games such as Everquest 2 and Free Realms that can be played via PC, PlayStation 3 and Facebook.
More than one million Canadians were registered on the PlayStation Network prior to the incident.
- April 16-17: Hackers break into Sony Online Entertainment.
- April 17-19: Hackers break into Sony PlayStation Network and Qriocity.
- April 19: Sony detects an "external intrusion" on its PlayStation Network.
- April 20: Sony shuts down the PlayStation Network and Qriocity.
- April 22: Sony says the networks are affected by "an external intrusion" and that it is investigating.
- April 26: Sony announces that it believes "an unauthorized person" has obtained personal data of PlayStation Network and Qriocity users.
- May 1: Sony Computer Entertainment executives apologize for the breach at a press conference in Tokyo.
- May 2: Sony says Sony Online Entertainment was also affected by a malicious intrusion.
- May 4: Sony provides details of its investigation to a U.S. Congressional subcommittee.
- May 5: Sony CEO Howard Stringer apologizes and offers free identity theft insurance coverage to U.S. customers.
Sony announced on April 26 that it believed personal information such as email addresses, passwords, birthdates and possibly credit card data from users of its PlayStation Network and Qriocity services had been stolen. It had shut down both services six days earlier after detecting an "external intrusion."
On May 2, the company said the breach also affected Sony Online Entertainment.
Stringer acknowledged that some people believe the company should have notified customers earlier than it did. But he reiterated that it took the company some time to investigate the intrusion on its network and identify what information had been taken.
"I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process."
In a separate blog post Thursday, Sony said it had begun the final stages of internal testing of a new system that marked an "important step" toward restoring its PlayStation Network and Qriocity Services.
Anonymous denies responsibility again
Sony had suggested in a letter to a U.S. congressional subcommittee earlier in the week that there was evidence an online collective of political activist hackers known as Anonymous was responsible for the attack on its network.
The letter said cyber vandals planted a file named Anonymous on one of its Sony Online Entertainment (SOE) servers, with the tag line, "We are Legion," which is used by the group.
On Thursday, Anonymous denied responsibility for a second time in an article on its "AnonOps Communications" blog titled "Let's be clear, we are legion, but it wasn't us. You are incompetent Sony." The group said it has never been known to engage in credit card theft. It suggested it had been framed.
In an April 24 blog post, Anonymous had also denied responsibility for the attacks.
The timing made Anonymous a suspect because the group had posted a blog post earlier in April expressing alarm and displeasure about Sony's legal action against hackers who figured out how to modify the Sony PlayStation 3 console to run non-Sony approved applications and said "you must face the consequences for your actions."