The Federal Bureau of Investigations today confirmed to Kotaku that it is looking into the security breach that brought the Playstation Network down and exposed millions of users' personal data to cybercriminals.
The FBI is joined by nearly two dozen state attorneys general and possibly the Federal Trade Commission who are looking into this month's Playstation Network hack attack which forced Sony to take their PS3 online service offline for more than a week.
Sony told Kotaku that they reported the security breach to the FBI's cybercrimes unit in San Diego. Contacted Thursday, an FBI spokesman confirmed that they were looking into the reports.
"The FBI is aware of the reports concerning the alleged intrusion into the Sony on line game server and we have been in contact with Sony concerning this matter," said FBI special agent Darrell Foxworth. "We are presently reviewing the available information in an effort to determine the facts and circumstances concerning this alleged criminal activity."
Meanwhile attorneys general from 22 states are demanding answers from Sony over the breach, asking why it took the company so long to alert customers to the attack.
That group of state attorneys general are sharing information with one another about their individual inquiries, Susan Kinsman, communications director for the Connecticut Office of the Attorney General told Kotaku.
The collection of attorneys general have also contacted the Federal Trade Commission to see if they have launched their own federal investigation, she said.
The Federal Trade Commission could have jurisdiction in a case involving loss of customer data through a security breach, FTC spokeswoman Claudia Bourne Farrell told Kotaku. But the FTC does not discuss or confirm ongoing investigations.
Kinsman also declined to say whether the FTC has launched their own investigation.
"A call has been made to the FTC and there will be discussions, but I can't comment on whether the FTC is investigating," she said.
While Kinsman was able to confirm that attorneys general from at least 22 states were looking into the Sony breach and how it might affect consumers in their states, she declined to say which states that included.
Connecticut's own attorney general sent a letter to Sony Computer Entertainment of America President and CEO Jack Tretton on Wednesday. The letter demanded answers to a number of questions including what data was stolen, who was responsible, how long the company knew and what was being done to make sure it doesn't happen again.
"The fact that sensitive information was apparently accessed without authorization makes me especially concerned about the possibility of financial fraud and targeted phishing scams," Connecticut Attorney General George Jepsen wrote. "What is more troubling is Sony's apparent failure to promptly and adequately notify affected individuals of this large-scale breach."
The letter goes on to outline a baker's dozen questions.
Kinsman said the letter was sent out Wednesday and that the office has not yet heard anything back from SCEA.
Sony officials told Kotaku that it wasn't until Monday, after an outside security group conducted an extensive investigation, that they realized customer data had been stolen. That data included names, passwords and other identifying information. Sony doesn't believe credit card numbers were stolen. If it was, that data is also encrypted when it is stored, they said.
Anyone with information concerning the breach is asked to contact the FBI at 858-565-1255 or 1-877-EZ-2-TELL. Cyber tips may be e-mailed to the Internet Crime Complaint Center.