Skip to Content

Breached Companies Say They Did All They Could

Executives for Sony and Epsilon, an e-mail marketing company, insist that they had tight security before they lost consumer data.

Executives who contended with massive data breaches at two companies—Sony and Epsilon—agreed Thursday that a uniform federal law governing disclosure would improve responses to future breaches, but they also defended their security and response times.

Hacked: Tim Schaaff, president of Sony Network Entertainment International, and Jeanette Fitzgerald, general counsel for Epsilon Data Management, testify at a House Energy and Commerce subcommittee hearing.

“Regarding the security of networks, I think the experience of Epsilon and Sony indicates that despite spending millions to protect your networks—despite all the best methods known to us—the networks are not 100 percent protected. It is a process that requires continuing investment,” Tim Schaaff, president of Sony Network Entertainment International, testified at a hearing of the U.S. House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.

In late April, Sony shut down the PlayStation Network and the Qriocity streaming media service for almost a month after breaches exposed personal information on 100 million accounts. Sony estimates that the damage cost $171 million to fix. Yet another hacking attack against Sony surfaced Thursday, this time in the Sony Pictures division. The group that claimed responsibility for it said it was easy to enter the computer systems and access customer data because the company had poor security measures in place.

Earlier in April, a hacker using an employee’s password at Epsilon—which handles e-mail marketing campaigns for major companies—stole millions of e-mail addresses and possibly customer names. While Epsilon did not name the companies victimized, its clients include Best Buy, Walgreens, Citigroup, JPMorgan Chase, Hilton, and Marriott. In both cases, the culprits are unknown.

Committee members are mulling a White House proposal for legislation to establish a single federal law requiring companies to notify users of breaches that expose personal information. Currently, 47 state laws govern such notification. Both Schaaff and Jeanette Fitzgerald, chief counsel for Epsilon Data Management, endorsed the idea, saying a uniform federal law would clarify what they needed to do and when they needed to do it.

Rep. Mary Bono Mack, the California Republican who chairs the committee, criticized Sony for taking a week after detecting its breach to explain to customers that their data, including names, addresses, birth dates, and e-mail addresses, had been exposed. “In effect, Sony put the burden on consumers to search for information instead of providing it to them directly,” she said. But Schaaff said that Sony actually may have gone too far in suggesting that credit-card data, too, might have been stolen; it now appears the card information remained protected, he said.  

He said that any data-breach law should be careful to strike a balance between warning victims in a timely manner and giving them accurate information. And he denied media reports—and insinuations by some of the congressional questioners—that Sony’s servers weren’t adequately protected. “That’s patently false—the Apache servers were fully up to date and fully patched, and had several firewalls in place,” he said. “The intensity and sophistication of the hack—despite those best measures taken, they were not sufficient.” Sony has since added layers of protection, he said.

Earlier, Sony said it would hire a chief information security officer—a position that already exists at many other big companies.

Fitzgerald said Epsilon had tight security and added that industry security standards—which she said the company had followed—are “far from sufficient.” She added, “If they were sufficient, we wouldn’t be here. We are all under attack.”

Keep Reading

Most Popular

A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?

Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.

A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate

Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway

Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.