Editor's note: In a story May 4 about an attack on Sony Corp.'s PlayStation Network, The Associated Press erroneously reported that Sony knows who is responsible. In a letter to Congress, the company said it does not know who is responsible.
"Sony now faces a large-scale cyber-attack involving the theft of personal information," Kazuo Hirai, chairman of the board of directors of Sony Computer Entertainment America LLC, said in a letter to members of the U.S. Congress.
"What is becoming more and more evident is that Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack designed to steal personal and credit card information for illegal purposes," he added in the letter to members of Congress who have launched an inquiry into the matter.
The company also said it waited two days after discovering data was stolen from its PlayStation video game network before contacting law enforcement and did not meet with FBI officials until five days later.
The theft prompted the U.S. Justice Department to open an investigation, officials said on Wednesday.
"The Sony matter is under active investigation. It involves personnel from the FBI and the Justice Department who are looking into the matter," U.S. Attorney General Eric Holder said. "It is something we are taking extremely seriously," Holder said.
Sony said that its video game network was breached at the same time it was defending itself against a major denial of service attack by the group calling itself Anonymous.
Anonymous is the name of a grass-roots cyber army that in December launched attacks that temporarily shut down the sites of MasterCard Inc. and Visa Inc. using simple software tools available for free over the Internet.
The group attacked the two credit card companies with "denial of service" attacks that overwhelmed their servers for blocking payments to WikiLeaks.
Sony said on Wednesday that Anonymous targeted it several weeks ago using a denial of service attack in protest of Sony defending itself against a hacker in federal court in San Francisco.
The attack that stole the personal data of millions of Sony customers was launched separately, while the company was distracted protecting itself against the denial of service campaign, Sony said.
Sony said it was not sure whether the organizers of the two attacks were working together.
The company noticed unauthorized activity on its network on April 19, and discovered that data had been transferred off the network the next day.
The PlayStation Network had 12.3 million accounts with credit card numbers globally, and about 5.6 million were U.S. accounts.
The company's general counsel gave the FBI information about the breach on April 22, the company said in the letter to the subcommittee on Commerce, Manufacturing and Trade.