Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Business Report

Breached Companies Say They Did All They Could

Executives for Sony and Epsilon, an e-mail marketing company, insist that they had tight security before they lost consumer data.

Executives who contended with massive data breaches at two companies—Sony and Epsilon—agreed Thursday that a uniform federal law governing disclosure would improve responses to future breaches, but they also defended their security and response times.

Hacked: Tim Schaaff, president of Sony Network Entertainment International, and Jeanette Fitzgerald, general counsel for Epsilon Data Management, testify at a House Energy and Commerce subcommittee hearing.

“Regarding the security of networks, I think the experience of Epsilon and Sony indicates that despite spending millions to protect your networks—despite all the best methods known to us—the networks are not 100 percent protected. It is a process that requires continuing investment,” Tim Schaaff, president of Sony Network Entertainment International, testified at a hearing of the U.S. House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.

In late April, Sony shut down the PlayStation Network and the Qriocity streaming media service for almost a month after breaches exposed personal information on 100 million accounts. Sony estimates that the damage cost $171 million to fix. Yet another hacking attack against Sony surfaced Thursday, this time in the Sony Pictures division. The group that claimed responsibility for it said it was easy to enter the computer systems and access customer data because the company had poor security measures in place.

Earlier in April, a hacker using an employee’s password at Epsilon—which handles e-mail marketing campaigns for major companies—stole millions of e-mail addresses and possibly customer names. While Epsilon did not name the companies victimized, its clients include Best Buy, Walgreens, Citigroup, JPMorgan Chase, Hilton, and Marriott. In both cases, the culprits are unknown.

Committee members are mulling a White House proposal for legislation to establish a single federal law requiring companies to notify users of breaches that expose personal information. Currently, 47 state laws govern such notification. Both Schaaff and Jeanette Fitzgerald, chief counsel for Epsilon Data Management, endorsed the idea, saying a uniform federal law would clarify what they needed to do and when they needed to do it.

Rep. Mary Bono Mack, the California Republican who chairs the committee, criticized Sony for taking a week after detecting its breach to explain to customers that their data, including names, addresses, birth dates, and e-mail addresses, had been exposed. “In effect, Sony put the burden on consumers to search for information instead of providing it to them directly,” she said. But Schaaff said that Sony actually may have gone too far in suggesting that credit-card data, too, might have been stolen; it now appears the card information remained protected, he said.  

He said that any data-breach law should be careful to strike a balance between warning victims in a timely manner and giving them accurate information. And he denied media reports—and insinuations by some of the congressional questioners—that Sony’s servers weren’t adequately protected. “That’s patently false—the Apache servers were fully up to date and fully patched, and had several firewalls in place,” he said. “The intensity and sophistication of the hack—despite those best measures taken, they were not sufficient.” Sony has since added layers of protection, he said.

Earlier, Sony said it would hire a chief information security officer—a position that already exists at many other big companies.

Fitzgerald said Epsilon had tight security and added that industry security standards—which she said the company had followed—are “far from sufficient.” She added, “If they were sufficient, we wouldn’t be here. We are all under attack.”

Hear more about security at EmTech MIT 2017.

Register now

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Business Impact
Securing Data

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Insider Basic.
  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.