The Democratic Unity Press is an underutilized Yahoo Group that some Democratic campaigns and offices add to their press lists to share news about their candidate / official. It’s been a great resource for me in observing the various ways that Democratic press shops are reaching out to the media, and for keeping up with one of my favorite new U.S. senators from my home state of Connecticut, Senator Richard Blumenthal.
This evening I saw a release and accompanying letter that might be of interest to anyone who still stops by this site (I’ve missed you and hope we keep catching up soon!) as it highlights in new concerns that our exponentially developing technology poses for policy makers. And it highlights the ways that our elected officials can leverage their bully pulpit to advocate for their citizens.
As you probably know, about a week ago news broke that “Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts in what is one of the largest-ever Internet security break-ins.” The breach targeted their PlayStation Network. If you haven’t heard about it yet, don’t feel bad as Sony; many users reported delays in being notified about the breach (if you’re still waiting, here’s the message from Sony).
According to Infosecurity part of the reason it took Sony a week to go public and begin notifying customers incident was because they were “waiting for outside experts to conduct forensic analysis and for Sony experts to understand the scope of the breach.” As you’ll note in the release and note below, there was yet another revelation about another 24.6 million users’ information being compromised. And, as you’ll note, Sony has been further delayed in notifying customers due to an apparent constraint of only being able to notify 500,000 people per hour, meaning it would take 8 days before the last of 100,000,000 customers could be reached.
Some international leaders have recently issued their own warnings to Sony and other companies on privacy, and while the United States still has not passed comprehensive federal legislation around data breach notifications, Senator Blumenthal is making me proud by putting his past advocacy as a champion for consumers in his last position as Connecticut’s attorney general (not sure why this hasn’t been updated yet…) to use. Rather than merely calling for hearings (and I assume they will happen eventually), the Senator is using his influence and the power of his voice through the media to call for immediate actions on behalf of consumers across America, including:
- Demanding immediate action to expedite notifications
- Pursuing the source of the latest round of breached accounts
- Discussing the issue with U.S. Attorney General Eric Holder during tomorrow’s Judiciary Committee hearing
- Calling for direct, public answers and increased transparency
- Encouraging the company to provide two years of free credit reporting services and identity theft insurance to customers who were affected
Check out Senator Blumenthal’s full release and letter to Sony Chairman Kazuo Hazai and President/CEO Jack Tretton after the jump, and let me know how you think our elected leaders should respond to the ever-changing technological enviroment that we live in.
What do you think of the two privacy and data breach notification bills that Congress failed to past lass session? What other effective examples have you seen of elected officials helping citizens outside their formal lawmaking and hearing powers?
FOR IMMEDIATE RELEASE
May 3, 2011
BLUMENTHAL DEMANDS ANSWERS FROM SONY EXECUTIVES FOLLOWING ADDITIONAL SECURITY BREACH
(Washington, DC) – Senator Richard Blumenthal today continued to pressure Sony executives for answers following new reports that the company’s data breach included the compromising and theft of data from an additional 24.6 million Sony Online Entertainment accounts. Originally Sony had announced that a cyber-attack on their PlayStation accounts had resulted in 50-75 million accounts being compromised including the theft of identifying information like names, birth dates and financial information.
In today’s letter, Blumenthal renewed his calls for answers and called for financial resources to be made available to all clients.
“I am deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches or to provide adequate protections for users whose personal and financial information may have been compromised,” said Blumenthal in a letter to both the Chairman and President & CEO of Sony Computer Entertainment America. “Sony’s failure to adequately warn its customers about serious security risks is simply unconscionable and unacceptable … The company should do everything in its power to promote transparency and speed notification in order to protect its users against identity theft and financial fraud,” the letter continues.
After the first reports of a security breach, Blumenthal wrote to the President and CEO of Sony to demand answers over the company’s delay in notifying their clients of the data breach and to provide users with free access to financial data security services and financial insurance to mitigate the consequences of identity theft.
Last week Blumenthal requested that Attorney General Eric Holder begin an investigation by the Department of Justice into the illegal hacking of Sony accounts and to examine any potential wrongdoing by Sony.
The full text of the letter is below.
Mr. Kazuo Hazai
Sony Computer Entertainment America
919 East Hillsdale Boulevard
Foster City, CA 94404
Mr. Jack Tretton
President and CEO
Sony Computer Entertainment America
919 East Hillsdale Boulevard
Foster City, CA 94404
Dear Mr. Hazai and Mr. Tretton:
I am writing in the absence of a response to my letter of April 26 regarding the breach of Sony’s PlayStation Network service, and pursuant to today’s news of a breach of Sony’s Online Entertainment service. I am deeply concerned about the egregious inadequacy of Sony’s efforts thus far to notify its customers of these breaches or to provide adequate protections for users whose personal and financial information may have been compromised.
As I previously wrote to you, “when a data breach occurs, it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised.” I am astonished by Sony’s failure to notify its customers in a timely manner about the breaches themselves, as well as to learn of the extent of the compromised data. Although Sony learned of the intrusion on its servers on April 19 and subsequently shut down its PlayStation Network, it did not begin sending email notification to users until a week later. Representatives of Sony have told my staff that this delay was due to Sony’s inability to send out more than 500,000 emails per hour, thus requiring several days to notify all of the affected users. If those technological limitations are true, today’s report that 24.6 million additional Sony customers may have been affected and will require notification is particularly troubling. I ask that additional steps be taken to expedite and speed notification.
Sony’s failure to adequately warn its customers about serious security risks is simply unconscionable and unacceptable. If Sony’s email capacity is indeed limited to sending 500,000 emails per hour, email notification of all of Sony’s 77 million PlayStation Network users would take nearly a week to complete. It is therefore possible that some users are receiving an email telling them their personal and financial information may have been breached nearly two weeks after the breach occurred. It is inconceivable that Sony has not considered other options for timely notification. The company should do everything in its power to promote transparency and speed notification in order to protect its users against identity theft and financial fraud.
Also confounding and unacceptable is Sony’s waiting until today to announce the breach of its Sony Online Entertainment service. Sony has claimed that this breach occurred at the same time as the breach of its PlayStation Network on April 19. If that is indeed the case, why did it take Sony until May 1 to discover this additional breach? Has Sony assessed the integrity of its other networks to determine whether any other breaches may have occurred?
I have asked Attorney General Eric Holder to investigate the criminal breach of Sony’s servers, as well as whether Sony’s subsequent handling of events in the wake of its breach gives rise to civil or criminal liability. I will be pursuing my request to the Attorney General at tomorrow’s Judiciary Committee hearing, at which he will be testifying.
Although Sony has not yet formally responded to my earlier letter, I would appreciate a direct and public answer detailing what the company will do in the future to protect its consumers against breaches of their personal and financial information. Sony should also clarify the number of credit card accounts that may have been compromised; news reports have indicated as many at 10 million cards on the PlayStation Network may have been affected, but Sony has indicated to my staff that the correct number is 9 million, and no information has yet been provided about how many numbers were compromised in this most recent breach. Finally, I would also appreciate a detailed timeline from Sony on this latest incident, outlining what the company knew about what was stolen and when it was known.
In my prior letter, I criticized Sony’s slow notification of PlayStation Network users and encouraged the company to provide two years of free credit reporting services and identity theft insurance to customers who were affected by the PlayStation Network breach. I also believe Sony should immediately notify Sony Online Entertainment service users, and extend these proposed protections to these victims as well. I appreciate your prompt response.
United States Senate