We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Report

Breached Companies Say They Did All They Could

Executives for Sony and Epsilon, an e-mail marketing company, insist that they had tight security before they lost consumer data.

Executives who contended with massive data breaches at two companies—Sony and Epsilon—agreed Thursday that a uniform federal law governing disclosure would improve responses to future breaches, but they also defended their security and response times.

Hacked: Tim Schaaff, president of Sony Network Entertainment International, and Jeanette Fitzgerald, general counsel for Epsilon Data Management, testify at a House Energy and Commerce subcommittee hearing.

“Regarding the security of networks, I think the experience of Epsilon and Sony indicates that despite spending millions to protect your networks—despite all the best methods known to us—the networks are not 100 percent protected. It is a process that requires continuing investment,” Tim Schaaff, president of Sony Network Entertainment International, testified at a hearing of the U.S. House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.

In late April, Sony shut down the PlayStation Network and the Qriocity streaming media service for almost a month after breaches exposed personal information on 100 million accounts. Sony estimates that the damage cost $171 million to fix. Yet another hacking attack against Sony surfaced Thursday, this time in the Sony Pictures division. The group that claimed responsibility for it said it was easy to enter the computer systems and access customer data because the company had poor security measures in place.

Earlier in April, a hacker using an employee’s password at Epsilon—which handles e-mail marketing campaigns for major companies—stole millions of e-mail addresses and possibly customer names. While Epsilon did not name the companies victimized, its clients include Best Buy, Walgreens, Citigroup, JPMorgan Chase, Hilton, and Marriott. In both cases, the culprits are unknown.

Committee members are mulling a White House proposal for legislation to establish a single federal law requiring companies to notify users of breaches that expose personal information. Currently, 47 state laws govern such notification. Both Schaaff and Jeanette Fitzgerald, chief counsel for Epsilon Data Management, endorsed the idea, saying a uniform federal law would clarify what they needed to do and when they needed to do it.

Rep. Mary Bono Mack, the California Republican who chairs the committee, criticized Sony for taking a week after detecting its breach to explain to customers that their data, including names, addresses, birth dates, and e-mail addresses, had been exposed. “In effect, Sony put the burden on consumers to search for information instead of providing it to them directly,” she said. But Schaaff said that Sony actually may have gone too far in suggesting that credit-card data, too, might have been stolen; it now appears the card information remained protected, he said.  

He said that any data-breach law should be careful to strike a balance between warning victims in a timely manner and giving them accurate information. And he denied media reports—and insinuations by some of the congressional questioners—that Sony’s servers weren’t adequately protected. “That’s patently false—the Apache servers were fully up to date and fully patched, and had several firewalls in place,” he said. “The intensity and sophistication of the hack—despite those best measures taken, they were not sufficient.” Sony has since added layers of protection, he said.

Earlier, Sony said it would hire a chief information security officer—a position that already exists at many other big companies.

Fitzgerald said Epsilon had tight security and added that industry security standards—which she said the company had followed—are “far from sufficient.” She added, “If they were sufficient, we wouldn’t be here. We are all under attack.”

Couldn't get to Cambridge? We brought EmTech MIT to you!

Watch session videos here
Next in this Business Report
Securing Data

In June, Business Impact will show why information security isn’t an issue only the IT department needs to worry about. We’ll explore why companies still struggle to secure data—from theft or loss—even after all the attention given to costly data breaches and hacking attacks. We’ll analyze fresh ideas for improving security in the cloud and on mobile devices and explain what smart companies are doing.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.