Japanese electronics company Sony has finally broken its silence on the culprits behind the recent cyber attack, indicating that online hacktivist group Anonymous could have conspired the data theft or helped it take place indirectly.
In a letter to US lawmakers, Sony disclosed that Anonymous indirectly allowed a network attack which led to the theft of personal data of over 100 million customers. It said that the security breach could be a revenge for the legal action the company had taken against hackers earlier this year, but which had been withdrawn subsequently.
Sony Computer Entertainment president and America division chairman Kazuo Hirai wrote to the House Energy and Commerce Committee’s panel on commerce, manufacturing and trade, saying that it has found a file named "Anonymous" on one of its servers and which had the words "We are Legion," which is associated with the hacktivist group.
Anonymous, a group of online hackers spread across the world, is best known for the distributed denial of service (DDoS) attacks on Visa, PayPal and others in support of whistle-blowing site WikiLeaks. It had also brought down the website of HBGary Federal, a security services firm helping the FBI to unmask its members.
Hirai said the data theft took place when the company was busy fighting a DDoS attack from Anonymous.
DDoS attacks typically cripple servers by overloading them with requests for data.
"This cyberattack came shortly after Sony Computer Entertainment America was the subject of denial of service attacks launched against several Sony companies and threats made against both Sony and its executives," Hirai wrote.
"Whether those who participated in the denial of service attacks were conspirators or whether they were simply duped into providing cover for a very clever thief, we may never know."
Sony also said that detectives and the FBI are investigating the matter and they have yet to find out the real culprits.
Earlier this year, Sony had filed a case against a group of PlayStation 3 hackers for breaching the console and allowing people to run custom packages on the device. But the company dropped the case soon after receiving threats by Anonymous.
The group had then threatened Sony of dire consequences saying that it will not forgive the electronics company for taking legal action against fellow hackers George Hotz (Geohot) and Graf_Chokolo.
Anonymous said, "You have abused the judicial system in an attempt to censor information on how your products work. You have victimised your own customers merely for possessing and sharing information, and continue to target every person who seeks this information. In doing so you have violated the privacy of thousands."
"Now you will experience the wrath of Anonymous."
However, after Sony shut down its PlayStation Network on 19 April citing security reasons, Anonymous had denied that it was behind any attacks. It posted an update to its website titled "For Once We Didn’t Do It." The statement read: "While it could be the case that other Anons have acted by themselves AnonOps wa (sic) not related to this incident and takes no responsiblity (sic) for it."
Now in response to Sony’s letter, Anonymous has again denied the allegations.
It said, "Sony is incompetent. While it could be the case that other Anons have acted by themselves AnonOps was not related to this incident and takes no responsibility."
In the letter, Sony has admitted that it reacted late, but added that it did so to prevent confusion among users. The company said it waited two days after first discovering the data theft, and did not meet with FBI officials until five days later.
"Throughout the process, Sony Network Entertainment America was very concerned that announcing partial or tentative information to consumers could cause confusion and lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence," the letter said.
