Initially, I was going to post a longwinded discussion about the recent announcement from Sony regarding the now seven day PSN shutdown, and the breach by a hacker on April 19 that resulted in the theft of millions of stored passwords and other personal data. However, after looking through several different opinions on the matter I’ve decided instead to point out a few things that I have learned over the course of my perusal of several articles on the subject today and some explanations into why Sony acted the way it did in the lead up to its public announcement of the scope of the breach. I would like to point out up front that this post is not meant to defend Sony in anyway nor is it meant to incite any fanboy hostilities (from the Sony side or otherwise) as it is often pointless and leads nowhere. Rather, the primary intent of this article is to explore the reasoning behind many of the decisions made, provide some acquired insight into the nature of the hacker(s) that have committed the theft, and some of the ramifications of Sony’s actions.
Starting on April 20, Patrick Seybold, Sony’s senior director of corporate communications and social media, must have been most uncomfortable person in the world. His company SCEA had to make an announcement of a network outage at the start of one of the busiest weeks of the second fiscal quarter and right before a major holiday weekend. All the while, I like to think that he must have known that things were only going to get worse.
As consumers looking in from the outside, the situation with Sony looks like a colossal series of blunders that ultimately started with an audacious theft of information and has lead to a massive PR debacle for Sony. Initial reaction to Sony’s press announcement was met with widespread anger and condemnation from consumers the world over. Everyone with PSN accounts was demanding immediate transparency of information while at the same time demanding to know why Sony waited as long as it did (6 days) before making a public announcement regarding its services. I must admit, that I myself was in this boat, and had, in a prior blog post, mentioned my own frustration at the lack of information coming from the company. That was until I realized that SCEA had probably called law enforcement agencies the moment that the breach had occurred and, because of this, were reluctant to provide any details to the media which could potentially tip off the very criminals responsible for the act. I suppose me covering this story for this blog is kind of ironic as a similar incident to this occurred at Georgia Tech when I was a student there and was one of the first few articles that I wrote for The Technique when I worked the news desk. In that case, 3000 people’s personal data (including social security numbers) had been stolen by an off campus computer hack into the servers of the School of Electrical and Computer Engineering. I remembered that I had talked to Matt Nagel, who was a spokesman for public affairs for the university. So I dug the story out and reread it. According to Tech, they were reluctant to provide me more details primarily because the investigation into the matter was on-going. Applying this to Sony it makes perfect sense that SCEA would be slow to provide any details with a forensic investigation into their servers (and more importantly, the trail left by the hackers) being conducted by both the FBI and a private security firm.
Also looking at the Tech incident and seeing that social security information was stolen made the timeline regarding the SCEA incident make more sense. The only reason that SCEA would have delayed as long as it did an announcement of the theft of private information would have been because they truly believed that their credit card database was in fact secure. Of course, with the investigation on-going they couldn’t concretely prove that and so in the interest of the consumers they released the information so that people could take appropriate actions. Now I know what some of you that have been reading up to this point are thinking. “Burn, you sound like you’re defending Sony despite your initial statements to the contrary.” Certainly, it does sound like I’m defending Sony, but look more carefully. I have been careful within the last few paragraphs to refer to SCEA and not Sony as a whole with respect to actions taken. Let’s remember that Sony is a big company that has multiple SCE divisions with the main one, of course, being Sony Computer Entertainment, Japan (SCEJ). Considering this, SCEA cannot act or say anything without final approval from SCEJ, as it is in charge of all corporate announcements. While these bits of info help to provide some insight into the actions of Sony as a company in the lead up to their public announcement, it does not excuse the fact that they did not tell their customers what to do once the breach had been mentioned in their press release from April 20. Effectively, they tried to downplay the severity of the situation in the early stages of the investigation as opposed to letting consumers know they needed to, perhaps, check their credit statements and how to protect themselves from any potential fraud.
But what about the person or persons that perpetrated the act? Who could they be? Initial speculation stated that it was probably Anonymous. However, Anonymous has strangely denied this and stated that there was no coordinated effort to bring down PSN that was sanctioned by the group. They were quick to add though that it could have been a splinter element of their group acting independently. Moreover, many experts have urged the public affected by this to not panic. But why? Surely the theft of all that personal information must be detrimental right? Well considering that there has been only one case of credit card fraud for a PSN customer in the past seven days since the breach we can probably all breathe a collective sigh of relief. In fact, let’s run through the math of this for a second. Sony stated that 77 million accounts worth of data were breached. Of those 77 million accounts let’s assume that only 50% of them are active (which maybe a liberal estimate considering that the 77 million represents accounts created across all Sony platforms and does not distinguish between active and non-active users). That leaves 33.5 million accounts online on the PS3. If that’s the case then surely there should have been countless cases of credit card fraud and phishing scams already reported. And yet, we’ve heard nothing accept for one case of fraud in Australia. I suppose that one could make the argument that it’s still too soon after the breach, and that the scrutiny from law enforcement agencies looking into this is still too hot. Therefore, the criminals in possession of this information could be waiting until the dust settles a bit more before acting on their new found treasure trove of information. Personally, I bet that the person or persons that did this probably acted with the full intention of scaring the fuck out of everyone and to securely plant some egg all over Sony’s face for thinking that it was indestructible in the PS3’s early years for preventing early hacking efforts. Looking around the web, there are people much smarter and better versed in these matters that seem to share in this opinion (see Michael Pachter's opinion regarding the hacker in the Ars Technica article).
Of course, until the guilty parties are caught by the authorities, the threat of widespread fraud using the information that was stolen will remain a constant threat along with the threat of other major hacking attempts on other large databases of information. Moreover, it isn’t going to stop some severe consequences from coming to Sony in the form of litigation. Game Informer posted an article yesterday that reports that a class action lawsuit against Sony has already been filed by California based law firm, Rothken Law Firm. Then again a recent Supreme Court ruling may have saved Sony a lot of potential legal headaches. Should this situation get any worse, or if any signs of serious misconduct are found to have occurred this could be the tip of a very big iceberg for Sony. Also how is Sony going to atone for the damage done to its user base? What if any mia culpa could be done to regain their trust? Michael Pachter has a few ideas that he mentioned to Ars Technica. “I expect that Sony will give everyone some free stuff—a Fat Princess download?—and they will definitely refund something to the PlayStation Plus customers,” Pachter said. He added, “Over the long run, we'll all forget about this, unless it happens again.” In a similar interview with Joystiq, Pachter also stated, that “I truly don't think they (Sony) will lose many customers over this.”
Regardless, I imagine that there will be some major shake-ups at Sony in terms of the upper levels of management. Moreover, I wouldn’t be surprised if a total re-evaluation of Sony’s internal PR and community management procedures were put under the microscope internally and completely overhauled even before the dust settles. As a suggestion Sony, you may want to follow the lead of Microsoft. While their platform is just as vulnerable as yours is to hacking and other cyber crime, it’s a pretty safe bet that they would have been much more upfront with what was going on initially. I also think that it goes without saying that Sony is going to lose hundreds of millions, if not billions, as a result of this fiasco. In fact, CNBC has already reported that Sony's stock was down 1% as of April 26th (its now down almost 3% in after hours trading). I guess it’s a good thing that Sony still has the release of Uncharted 3 later this year along, with some other cool content, to at least put a band-aid on what is a huge gaping wound of a disaster.