Still coping with the aftereffects of a pair of attacks that has compromised as many as 100 million accounts and which caused two online gaming services to be taken offline, Japanese electronics giant Sony is considering offering a reward for information leading to the arrest and prosecution of the attackers, people familiar with the matter say.
The company hasn't reached a final decision concerning whether it will offer a reward, and may decide not to do it at all, but the option is on the table, sources told me today. The fact that Sony is considering a reward at all speaks to how seriously it wants the person or people who carried out the attacks that have forced its gaming services offline for nearly two weeks to face prosecution.
If Sony does decide to offer a reward, it will do so in cooperation with law enforcement agencies, including the FBI and the relevant law enforcement agencies in other countries. The discussions around the pros and cons of offering a reward are not complete and would require the sign-off of senior Sony executives in Tokyo, who have not given their go-ahead, these people say. The reward is being considered as one of many options Sony is mulling in consultation with law enforcement to try to jar loose any information on the identity of the attackers.
Word of a possible reward offering comes as the Financial Times reported that two members of the hacking group Anonymous have informed the FBI that members of the loosely associated group of activist hackers carried out the attacks that compromised the system and prompted Sony to shut down two of its online gaming services. A person or people involved with the initial denial-of-service attacks carried out against Sony in support of a hacker named George Hotz may have gone beyond the bounds of the action that was intended simply to hit Sony's PlayStation Gaming Network with more requests for service than it could handle and temporarily knock it off the Web.
These denial-of-service attacks have been the method that Anonymous typically uses. Last year, Anonymous carried out denial-of-service attacks against PayPal and against the Web sites of Visa and MasterCard after those companies stopped allowing people to make financial contributions in support of WikiLeaks. Police in the U.K. went on to make five arrests related to those attacks.
Meanwhile, Sony denied assertions by computer security expert Gene Spafford during a Congressional hearing Thursday that it had been running outdated versions of Web server software and had not been using a firewall on its servers. In a statement from Patrick Seybold, Sony's senior director, Corporate Communications and Social Media, that's expected to be published on Sony's PlayStation blog, the company was using updated software and had "multiple security measures in place." Here's the statement in full:
"The previous network for Sony Network Entertainment International and Sony Online Entertainment used servers that were patched and updated recently, and had multiple security measures in place, including firewalls."
Separately, Sony President Kaz Hirai sent a letter to Connecticut senator Richard Blumenthal containing a detailed timeline of the attack and Sony's response to it. The letter contains previously undisclosed details about the attack and the hardware Sony uses to run its gaming services.
The letter, which is embedded below, says that the systems involved use 130 servers and 50 distinct software programs. Sony first noticed the attack on April 19, when its network team discovered that several PlayStation Network servers had rebooted themselves unexpectedly. Four servers were immediately taken offline in order to figure out what was going on. By the next day, it was clear that another six had been attacked, and they were taken offline as well. By April 23, computer forensic teams confirmed that intruders had used what Sony describes as "very sophisticated and aggressive techniques to obtain unauthorized access to the servers and hide their presence from the system administrators" and had deleted log files showing the footprints of where in the system they had been. By April 24, Sony had hired three different computer security firms to investigate the attack.
By April 25, it had determined that the attack had involved some credit card accounts. Consumers were notified the next day, though Sony did not know initially that the credit card accounts had been compromised. The Wall Street Journal has a play-by-play.
The letter also says that Sony had stored approximately 12.3 million active and expired credit cards, approximately 5.6 million of which belonged to customers in the U.S.
"We of course deeply regret that this incident has occured and have apologized to our customers," Hirai wrote. "We believe we are taking aggressive action to right what you correctly perceive is a grievous wrong against our consumers: a wrong that is the result of a malicious, sophisticated and well orchestrated criminal attack on us and our consumers."
Earlier in the day, rumors of a third attack circulated in online chat rooms, but those reports couldn't be independently confirmed. Another attack couldn't come at a worse time for Sony. Analysts are estimating that cleaning up the damage from the first two could cost the company $1 billion or more before the incident is fully resolved.
Earlier this week people claiming to represent Anonymous denied any role in the theft of credit card numbers from Sony. However, Sony said in a letter to Congress that a text file containing a catch phrase often invoked by Anonymous and intended to taunt the company was left behind by the attackers. On Monday, Sony disclosed that the attack had involved not only its PlayStation Gaming Network, which has been offline since April 20, but also its Sony Online Entertainment division, which includes online games like Everquest and Star Wars: Galaxies.
Sony's letter to Sen. Blumenthal is here.