They said that employees had highlighted specific vulnerabilities on Sony websites and systems, but many of these were ignored. The company also reportedly did risk assessments to identify vulnerabilities but then failed to act on the advice that came out of them.