Whatever problems you've faced at work today just comfort yourself with this thought: You're probably not "head of security" for the PlayStation Network.
Yeah, Sony have been the victims of an intrusion, and the question that everyone is wondering (and I certainly hope you are thinking about this if you're a Sony Playstation network customer) is what exactly has been "lost" and how quickly can you get all your banking security details changed. That's 77 million user account details leaked, and given the breadth and depth of what has been lost you have to wonder if the people who set this up bothered to encrypt any of this data, and come to think about it you have to wonder if they were doing neat shots of vodka for each line of code typed.
Now I've got to admit that I've not been a fan of Sony since the whole "rootkit in your music CD" thing, but reading this just knocks me sideways. You have to almost feel sorry for them as the impact on their business from this could be massive, and certainly this is going to cause a big dent in their credibility. When you start popping up in the pages of the mainstream press as the victim of a hack attempt that might have caused customer bank details to be 'lost' on the day you were hoping everyone would instead be talking about your new tablets then its a pretty bad day in the office.

When the rumours start doing the rounds that the whole reason for this hack was because you pissed off a bunch of hackers over a legal case that you then managed to blow anyway… well you have to wonder what the hell they are actually doing at Sony’s Computer Entertainment division because they certainly aren’t thinking before they act.

Lets be clear: This is a Really Big Deal. With the capital letters and everything. The potential for harm to customers is bad enough, but it gets worse. Sony might well lose customers over this, and they will certainly dent the confidence of the indie game developers and other partners who rely on the Playstation network for their revenue stream.

Much worse is the way Sony have handled it, since the downtime began on the 20th of April. I see two options here and neither of them end well for Sony:

  1. Sony knew of the intrusion on the 20th of April(by which I mean that user account details had been compromised, not merely that service had been interrupted)and didn't bother telling customers for nearly a week .I can understand the need to try and put a good spin on things but as I've said before, once you've been hacked the Bad Thing has already happened. Your first duty is to stop it getting worse. And "hacked and allowed customers to be victims of identity fraud because you sat on your ass for 5 or 6 days" is definitely much worse than "hacked but acted quickly to warn customers they were at risk before anything bad could happen".
  2. Sony didn't know the extent of the intrusion until the 26th of April. This suggests that either their security and monitoring tools are, how shall we put this.... laughably inadequate, or that the site was compromised so badly that the hackers have effectively had their hands thrust so deeply into the site that they've been using it to put on puppet shows for their friends for a week and Sony have only just now pinned them down and grabbed it back off them.It's easy for people like me to sit on the sidelines and sneer about the possibility of this, but for an organisation like that, with a user-base like that and the budget they should have for securing everything that really would be shocking.
Either way, there is no doubt that they have acted badly here. Their warning came late after the incident occurred, its release was handled poorly - both in terms of how its distributed to customers and that whoever wrote it appears to have forgotten that the world is a very big place and some parts of it are not America.

Still, if you do work for Sony, I have some advice for you. The scale might be different but the actions you need to take remain broadly the same. If you don’t work for Sony then don’t just laugh at their discomfort. Consider if there are any lessons your business needs to learn from this. What would happen if someone stole customer details from your website tomorrow? How would you cope with it?

As an aside, I bet there are a few people staying late at the Microsoft and Nintendo offices, and probably a few others, since this news broke. Whether they’re partying and laughing so hard that some of them have dislocated their jaws or whether they’re burning the midnight oil double and triple checking the security of their own systems is left as an exercise for the reader.

Update

As per the Register, Sony have issued more information about the intrusion that suggests that credit card info, at least, is protected. This is good news, but given that people tend to use the same passwords, security questions, etc on more than one site I’d still be worried.