In congressional testimony this morning, Dr. Gene Spafford of Purdue University said that Sony was using outdated software on its servers — and knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts.

According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which “was unpatched and had no firewall installed.” The issue was “reported in an open forum monitored by Sony employees” two to three months prior to the recent security breaches, said Spafford.

Spafford made his comments in a hearing convened by the House Subcommittee on Commerce, Manufacturing, and Trade. Sony was invited to participate in the hearing, but declined to attend. In a letter to the committee, Sony said it has added automated software monitoring and enhanced data security and encryption to its systems in the wake of the recent security breaches.

“If Dr. Spafford’s assessment is accurate, it’s inexcusable that Sony not only ran obsolete software on servers containing confidential data, but also that the company continued to do so after this information was publicly disclosed,” said Jeff Fox, Consumer Reports Technology Editor.

The Threat of Data Theft to American Consumers [Committee on Energy and Commerce]