Anonymous earlier issued a statement that it wasn't responsible, but acknowledged that individual members might have acted independently to break in and steal the data.

The letter to Congress was prompted by a set of questions sent from a Congressional committee to Sony seeking information about the breach, how it happened and what Sony was doing about it.

The letter says that the attackers exploited a software vulnerability in one of the in the network that supports PlayStation Network, the online gaming site for Sony PlayStation customers.

The network consists of 130 servers, 50 software programs and 77 million registered accounts, the letter says. In all, Sony came to believe 10 of those servers had been compromised.

The letter says Sony knows the personal data was compromised because it found records of queries being made for it and large data transfers being made out in response. There were no logs of request for credit card information or corresponding outbound transfers, which is why Sony says credit card information might have been compromised but it just doesn't know.