Sony to testify before US subcommittee on Commerce next week

Friday, 27th May 2011 21:09 GMT By Stephany Nunneley

Sony will be sending Tim Schaff, the president of International Sony Network Entertainment division, to Washington DC next week to appear before a House subcommittee hearing regarding the firm’s recent Network breach.

According to a report in The Atlantic, Schaff will appear at the Tuesday hearing, after declining the first one held by the US House Subcommittee on Commerce, Manufacturing and Trade.

The Committee previously asked Sony to testify regarding the firm’s network security breach, along with other recent hacks made to firms such as Epsilon, but it declined and responded to the Committee’s questions in writing.

Today, subcommittee aide Ken Johnson confirmed the news that Sony would indeed sit in on the next meeting.

“While Chairman Bono Mack remains critical of Sony’s initial handling of the data breaches, she also is appreciative that the company has now agreed to testify,” said Johnson. “The Chairman firmly believes that the lessons learned from both the Sony and Epsilon experiences can be instructive and guide us as we develop comprehensive data protection legislation.

“We expect to introduce that legislation, which will provide new safeguards for American consumers, in the next few weeks.”

Thanks, GiantBomb.



  1. DSB

    The PSN-bill.

    That can’t be great in terms of branding.

    #1 4 years ago
  2. frostquake

    The Sony Consumer Protection Act, Bill or SCPA Bill…Just a waste of taxpayer dollars, but who cares we print money non-stop, and throw it at crap like this. It will accomplish nothing!

    #2 4 years ago
  3. Razor

    I wonder how Sony decided who to send.

    Spin-the-bottle or drawing straws :)

    #3 4 years ago
  4. jnms

    @2 Unless it is used as an excuse to limit joe average’s Internet access…

    #4 4 years ago
  5. DSB

    77 MILLION accounts, though. It’s impossible to tell how many credit cards that ammounts to, but it’s going to be a pretty serious ammount.

    That guy has to feel a bit like Tony Hayward going in to explain how they managed to fill half an ocean with crude oil from a little hole they made in the ground.

    #5 4 years ago
  6. Phoenixblight


    Sony doesn’t have to talk about the ones outside of the US so your number is completely bloated. Either way SOny will go unscathed because there have been no reports of Americans having fraud charges on their account.

    And this does not equal to the gulf spill not even close. THis doesn’t put people out of work or effect the ecosystem over generations. GG for hyperbole.

    #6 4 years ago
  7. DSB

    @6 Tony Hayward wasn’t brought to the senate to account for any of the consequences of the spill, but more so to account for negligence on account of his company or its subcontractors, which is exactly the same in this case. It’s not a legal proceding where any claims can be made, merely a hearing to try and enlighten a few politicians on a major incident. Nothing hyperbolic about it, it’s pretty simple. This should never happen, whether it’s 7 million (Which is obviously an infinitely small number, heh!) or 7 billion.

    I haven’t heard anything about the resulting fraud either, but then again I didn’t when the same thing happened to Gawker, and I wouldn’t have if it wasn’t because my brother had his credit card abused by someone enjoying urdu qurans and Fifa games as a result of the incident.

    #7 4 years ago
  8. Christopher Jack

    Several Aussie banks were hacked into not that long ago, no one is safe from these hackers :(

    #8 4 years ago
  9. TheWulf

    Steam appears to be safe from these hackers.

    It all depends on how tight your security is and how up to date your security guys are. The lighter your security, the more of a target you make yourself for an attack.

    Like I said before, it’s human nature, and it all comes down to predation. No one is going to go for the impossible targets unless they have something to prove, that rarely happens, and success is almost non-existent, so instead people go for the easier kills.

    When hunting and thinning the herd, you go for the young or elderly, or preferably, if available, the wounded. Having lacklustre security and a lackadaisical attitude towards the likelihood of attacks is going to make you seem like nice prey.

    It’s like presenting a big, healthy but blind and deaf mule deer to a hungry mountain lion. The results are going to be fairly obvious. The reason those banks were attacked was the same reason that Sony was attacked – it was discovered that their security was horrible.

    Now I’ll freely admit that Anonymous and other hacking groups might have leaked that Sony’s security was lacklustre and they had a care less attitude in regards to hacks, but these were Sony’s problems, if those problems hadn’t been present then the attacks wouldn’t have happened, because no one could’ve pointed to them and said that they’re easy prey.

    It’s fallacious to point to vulnerable parties and say that no one is ‘safe’ from hackers. Safety simply means having enough security to deter the casual black hat who’s in it for whatever he or she can steal and sell off. The vulnerable parties weren’t safe from hackers because they made it clear to someone that their security was horrible and did nothing to rectify the problem.

    If, as you say, no one is ‘safe’ from these hackers, then surely Steam would’ve been hacked countless times over by now, right? Your logic directly implies this. Steam cannot be safe from these hackers according to what you’ve said. And yet… in all the years they’ve been running, they haven’t been hacked once.

    And this is because they’re up on their security and take attacks seriously. This is enough to deter casual attackers, who’re often the only ones stupid enough to take on a giant corporation anyway (thus annoying the governments of whichever countries that corporation does business in, too). So it’s hardly smart, is it?

    In other words, if you get attacked then you’re likely being attacked by someone who’s perhaps not too bright. And that’s only happening because you made yourself look like the easiest target possible. “Hey, anyone could hack us, come have a go!”

    Again: Predation is human nature, and we go for the weakest of the herd. This starts off with bullying in school and applies to everything from daily life to corporate strategies. You can see this everywhere, a present and prevalent part of the human psyche. If you’re a nice guy running a small business who sees the good in everyone, then you’re ripe for a takeover.

    It’s cynical, yes, but it’s also completely honest.

    I’m not saying this just to be nasty but because sometimes we just have to face up to the fact that there are companies that just don’t take these things seriously, they believe they’re invulnerable when the truth is that they’re the exact opposite, and they don’t know how to deal with things when they get attacked after inviting people to do so.

    The way around this is to never believe you’re invulnerable, and to acknowledge that an attack could come from any angle, and then to hire proper security teams to tighten up your security from those and any other angle you could conceive.

    Sony themselves admitted that they didn’t see the attack coming because the attack vector was the PSN itself. They didn’t expect anyone to attack it so they simply didn’t bother with any form of security at all. They said it themselves and if you look at articles related to this one, you’ll probably find what I’m talking about.

    In fact, let me see if I can…

    Stringer did say Sony just plain weren’t expecting hacker activity.

    You NEED to expect hacker activity. You have to be paranoid about this. When you’re dealing with the details of your users, you OWE it to them to be incredibly paranoid. I mean, sure, the PSN is a free service, but once in a hacker can then get from there to other parts of their network. Or figure out how to. See: SOE attacks and SonyNet (or whatever it’s called) attacks.

    How can it not be their fault if they simply shrugged and believed in all honesty that security was unnecessary for any part of their network?

    And you’ll find that any company or organisation that gets intruded shares this attitude. There’ll be one part of their network where they thought that security wasn’t necessary. And BAM – wounded mule deer! The scent spreads, word gets out, and someone takes a stab at easy prey. I can’t blame anyone for doing so, really, because as I said it’s human nature.

    It’s the job of these companies and organisations to protect their own data. If they can’t do that then they should just pack in any online services and never try at that again. If they need advice then they can just consult with people who have a long track record of doing it right.

    But to say it again: How can you realise that Sony thought that security wasn’t necessary and not blame them? How can you, knowing that, not realise that those banks likely thought the same thing?

    If you’re not safe from hackers it’s only because you don’t actually care to be safe from hackers. It’s an expense you don’t want to have to be responsible for, so you engage in wishful thinking and you live in a bubble. Then something like this happens and you run around in a panic, screaming and pointing fingers at everyone but yourself.

    It’s the same with your own computer. If you don’t bother at all to protect it from casual hackers, then you’re going to get hacked, you’re going to have your credit card details stolen, and it’s going to be no one’s fault but your own.

    I mean, phishing attempts don’t exactly scream professionalism or effort, s an example, and no one I know has ever been fooled by one. But there are people who think that there’s no harm in clicking a link or filling out a form without checking with someone who knows better first, again, this is all playing up to human psychology, making prey of the weak minded.

    This is excusable in the case of those who don’t know much about computers, I know, and I wouldn’t expect everyone to be completely clued in. If you’ve had your passwords or details stolen a few times, I won’t blame you. But when you’re dealing with a giant corporate entity then you bloody well expect them not to do the equivalent of someone’s gran sending all their details via a form provided by a phishing email.

    #9 4 years ago
  10. NightCrawler1970

    The wrong thing that Sony did was try to cover-up the mess, but some-how it was publishes, than Sony try to denied the whole thing, and 1,5 later they have to admit that the hackers took gamers information(e-mail) there regular address, and in total of 12.500 CC holders and 10.500 DC holders(US only), than you got Europe, and Asia, and i don’t know about Australia??? and the rest of the world… are breached….

    #10 4 years ago
  11. Bluebird

    @TheWulf: As much as I would like to read you tirades in full I thing of read it all before, I’m just going to reiterate: No one is safe. Just because it hasn’t happened doesn’t mean it can’t or won’t happen.

    #11 4 years ago
  12. TheWulf


    One of the wrong things.

    1. They didn’t think security was necessary for a part of their network.
    2. They threatened people with litigation where they could’ve worked with them to tighten up their security and make the Playstation3 a better experience for everyone.
    3. They withheld information about this, just as you said.

    Now look at Microsoft by comparison:

    1. Microsoft have experienced a number of vulnerabilities and by this point they know to take security seriously. It’s no joke.
    2. Microsoft has a reputation for working with people who find holes in their security, and even offering ‘code bounties’ for people who find exploits and provide ways of fixing them.
    3. Microsoft have always tried to get day-one workarounds out for known exploits.

    You can say some fairly nasty things about Microsoft, but this is one thing that they’ve learned to do right.

    #12 4 years ago
  13. TheWulf


    You might as well have responded with ‘herp a derp derp’ for all the good your post did.

    You see, I’ve already invalidated your comment because I didn’t even say what you’re implying I did (straw-man, much?). In future – either read or don’t reply to things you haven’t read, it saves me the effort and you the embarrassment. What I said is that sufficient security provides safety from casual fraudsters – the sort of people who make these attacks.

    You need to understand the difference between sufficient security and no security. Sony has already admitted to having the latter.

    I will, once again, point out that Steam has yet to be breached. This is because Valve don’t wander around with a target on their arse.

    #13 4 years ago
  14. Bluebird

    It’s ok. You didn’t embarrass me, after all I pointed out that I didn’t read your post because it was so long. Now that you have summed it up in one paragraph I’m happy to acknowledge your point regarding small-time hackers and security. :)

    #14 4 years ago
  15. OrbitMonkey

    Rhetoric loving Sony hater loves own rhetoric.

    That’s surely the only conclusion for paragraphs of waffle. Let’s see if we can edit down some of TheWulfs blubber eh?

    “Sony did not have sufficent internet security, making them vulnerable to attack. This was a mistake for which they should aplogise & rectify….. Oh they have…. fuck it i HATE them so much i’m going beat my little drum till i’m blue in the face!!”

    Ad nauseum

    #15 4 years ago
  16. DSB

    tl;dr :P

    We can all agree that there’s nothing like an ultimate network. Most of them are in continual development, and most of them inevitably suffer breakdowns and errors that provoke the proprietor to improve their systems.

    I’m not a server wiz myself, but I do know people who’ve worked with very big server systems, and based on what’s been released they’re simply amazed that PSN was so easy to bust open, which would seem to be corroborated by Sony’s embarrassment, their statements regarding the lack of preemption, and the fact that they lost all their accounts in one fell swoop, which seems extremely weird to me.

    If you have 77 million accounts, you should really consider compartmentalizing your data, so you don’t lose 77 million accounts in the case of a breach.

    It is a fair point that there are several other similar sized businesses who’ve never had a breach of that magnitude, and that’s definitely not because nobody’s tried to breach those, but simply because they built a better prepared network.

    There’s no perfect network, but there is such a thing as a negligently protected one.

    #16 4 years ago
  17. Christopher Jack

    @TheWulf, You appear to be a very intelligent person so I ask you, why do you continue to assume many of your points are correct without sufficient proof?

    #17 4 years ago
  18. OrbitMonkey

    @17 Appearances can be deceptive ;)

    All he’s points are simply opinions and opinions are like assholes, everyone’s got one :D

    #18 4 years ago

Comments are now closed on this article.