Sony declined to testify in front of Congress today but they did send a letter answering all the questions that were posed and gave an overall layout of the situation at hand.
Sony says that on 4:15 of April 19, the network administrators of Playstation Network first saw that there was some unauthorized access going on in about 130 servers. That's when PSN first shut down, Sony decided to wait 6 days before they would issue a warning to their customers letting them know that their information was compromised. Almost a week before you decided to tell people? Kazuo Hirai, chairman of the board for Sony Computer Entertainment of America, writes that they didn't want to let people know early and "lead them to take unnecessary actions if the information was not fully corroborated by forensic evidence." Sony details in their letter that they had to bring in 3 different computer security firms before they found out on Easter Sunday how big the breach was. One interesting note was a file left by the hackers named "Anonymous" with the words "We are Legion."
I think that Sony should have aired on the side of being more open with information rather than how they went about it. 77 million people around the world were wondering what was going on and Sony just kept quiet about it for almost a week. Especially with the news that Sony Online Entertainment also went down as well, and there's no doubt that credit card information was stolen from there. The list may have been from 2007 but still, that creates a credibility gap that we have to work around.
Sony explained to Congress that it has taken steps to up security already with more firewalls and monitoring services added in but does it seem to be too little too late? Hirai writes that Sony employees have had to "endure" this "unprecedented" breach and investigation. Will they endure as much as anyone who gets their credit card stolen from this attack?