The open letter begins, ”Once again Anonymous has been blamed for a security breach, this time by the journalist Joseph Menn, in his article “Hackers point finger over Sony incursion”. Here, Anonymous wishes to lay out our case against these allegations and false assumptions…”
The letter goes on to pick apart some of the assumptions and accusations leveled against them, as well as detailing the history of Anonymous, which describes itself as “(beginning) as a “meme”, or shared belief, at the turn of the century and later developed to become a “global collective conscience” in 2006. But it was not until 2008 that Anonymous became a true display of “power in numbers”.”
The full meat of the letter states that Sony is attempting to use Anonymous to steer attention away from their missteps:
Is all of this attention on Anonymous acting as a distraction from other problems, and overhyping the nature of the DDoS attacks? Sony’s recurring issues are beyond providing free game credits:
In order to process credit cards, every company needs to be PCI compliant. “If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard”. Since Sony’s network was “unpatched and had no firewall installed”, that is a clear violation of the PCI standards and ongoing reviews, thus likely to be criminal negligence. More importantly, “I can’t think of a major data breach where the company was PCI compliant,” said Ira Rothken, the lead attorney handling the class action lawsuit.
Sony has been accused of false billing, especially in the repairs department: customers who provided credit card details for an MMORPG are charged $150 for repairs to PS3s that they don’t own; repairs are double billed and then referred to retailers; equipment is charged $150 multiple times (2-4) for repairs that aren’t performed.
A decent credit card transaction gateway includes recurring billing as an option. Data mining by corporations has a profit motive, but as Sony has demonstrated it can be a massive liability. Why not start a discussion about corporate responsibility to protect user information, especially since they didn’t need it to begin with?
Sony’s response to the U.S. Senate is to request more laws and further the myth of “best practices.” Since Sony was warned of security holes months in advance, one of those “best practices” would be to accept the advice of the experts. In Sony’s passing the blame there is no justification for the collection and retention of personal information they didn’t need.
The end of the letter breaks the legal tone of the letter and is downright chilling: ”These reactions prove that requesting legislation to cover up corporate crimes and the abuse of law is frowned upon by all online communities, not just the Legion of Anonymous. Apparently Sony will have to learn the hard way that corporate malfeasance will not go unpunished. When the dust settles Sony may have more to fear from a massive class action lawsuit by their user base than the brief actions of the Global Hacker Nerd Brigade, Anonymous… Let THE GAMEs begin. :>”
This isn’t even close to being over.