Lawmakers from both of the main US political parties on Wednesday seized on the huge data breach at Sony to press for legislation that will require more timely and complete notification when such intrusions occur and set the first federal standards for securing sensitive information.
The Japanese technology company has been the subject of hacking and data theft at two online gaming networks in recent weeks, which have put financial details of millions of users at risk. It has been criticised for its slow response to the breach at its Playstation Network two weeks ago.
At a House of Representatives hearing in Washington on Wednesday, Republican Mary Bono Mack, who heads the Commerce Committee’s Consumer Protection Panel, condemned Sony for a “half-baked response” towards warning 100m users that credit card details and passwords might have been stolen and said she would introduce a bill.
“We need a uniform national standard for data security and data breach notification and we need it now,” Ms Mack said. A leading Democrat on the commerce committee, John Dingell, got all four witnesses at the hearing to agree that current business practices were inadequate and that such a law was necessary.
Sony declined to appear at the hearing, but in response to written questions for the first time linked the intrusion to a campaign against it by the cyber-activist group Anonymous.
It said the breach occurred when its security specialists were dealing with more straightforward attacks by Anonymous that were crashing its websites, and that the criminal hackers that infiltrated its online gaming networks might have taken advantage of that, or conspired directly with Anonymous. Anonymous has denied responsibility for the theft.
Sony’s letter said it discovered a reference to Anonymous planted by the intruders in the second breach, into its Sony Online Entertainment network, discovered on Sunday. Sony said it had seen no evidence that more than 12m encrypted credit card numbers that had been exposed had been taken, let alone cracked and used fraudulently.
Epsilon, an e-mail marketer that recently lost an estimated 60m e-mail addresses of client companies’ customers to hackers, also declined to testify.
Pablo Martinez, a senior Secret Service cybercrime agent, said the White House would soon give Congress recommendations on cyber security legislation.