Spafford told the subcommittee that, according to security mailing lists he subscribes to, "individuals who work in security and participate in the Sony network" had learned "several months ago" that PSN was hosted on servers running "very old versions of Apache software that were unpatched and had no firewall installed."
The professor continued, "they had reported these [issues] in an open forum that was monitored by Sony employees, but had seen no response and no change or update to the software." The timeframe for these events was "two to three months prior to the incident where the break-ins occurred," according to Spafford.