Skip to Content

Breached Companies Say They Did All They Could

Executives for Sony and Epsilon, an e-mail marketing company, insist that they had tight security before they lost consumer data.

Executives who contended with massive data breaches at two companies—Sony and Epsilon—agreed Thursday that a uniform federal law governing disclosure would improve responses to future breaches, but they also defended their security and response times.

Hacked: Tim Schaaff, president of Sony Network Entertainment International, and Jeanette Fitzgerald, general counsel for Epsilon Data Management, testify at a House Energy and Commerce subcommittee hearing.

“Regarding the security of networks, I think the experience of Epsilon and Sony indicates that despite spending millions to protect your networks—despite all the best methods known to us—the networks are not 100 percent protected. It is a process that requires continuing investment,” Tim Schaaff, president of Sony Network Entertainment International, testified at a hearing of the U.S. House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade.

In late April, Sony shut down the PlayStation Network and the Qriocity streaming media service for almost a month after breaches exposed personal information on 100 million accounts. Sony estimates that the damage cost $171 million to fix. Yet another hacking attack against Sony surfaced Thursday, this time in the Sony Pictures division. The group that claimed responsibility for it said it was easy to enter the computer systems and access customer data because the company had poor security measures in place.

Earlier in April, a hacker using an employee’s password at Epsilon—which handles e-mail marketing campaigns for major companies—stole millions of e-mail addresses and possibly customer names. While Epsilon did not name the companies victimized, its clients include Best Buy, Walgreens, Citigroup, JPMorgan Chase, Hilton, and Marriott. In both cases, the culprits are unknown.

Committee members are mulling a White House proposal for legislation to establish a single federal law requiring companies to notify users of breaches that expose personal information. Currently, 47 state laws govern such notification. Both Schaaff and Jeanette Fitzgerald, chief counsel for Epsilon Data Management, endorsed the idea, saying a uniform federal law would clarify what they needed to do and when they needed to do it.

Rep. Mary Bono Mack, the California Republican who chairs the committee, criticized Sony for taking a week after detecting its breach to explain to customers that their data, including names, addresses, birth dates, and e-mail addresses, had been exposed. “In effect, Sony put the burden on consumers to search for information instead of providing it to them directly,” she said. But Schaaff said that Sony actually may have gone too far in suggesting that credit-card data, too, might have been stolen; it now appears the card information remained protected, he said.  

He said that any data-breach law should be careful to strike a balance between warning victims in a timely manner and giving them accurate information. And he denied media reports—and insinuations by some of the congressional questioners—that Sony’s servers weren’t adequately protected. “That’s patently false—the Apache servers were fully up to date and fully patched, and had several firewalls in place,” he said. “The intensity and sophistication of the hack—despite those best measures taken, they were not sufficient.” Sony has since added layers of protection, he said.

Earlier, Sony said it would hire a chief information security officer—a position that already exists at many other big companies.

Fitzgerald said Epsilon had tight security and added that industry security standards—which she said the company had followed—are “far from sufficient.” She added, “If they were sufficient, we wouldn’t be here. We are all under attack.”

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.