When the rumours start doing the rounds that the whole reason for this hack was because you pissed off a bunch of hackers over a legal case that you then managed to blow anyway… well you have to wonder what the hell they are actually doing at Sony’s Computer Entertainment division because they certainly aren’t thinking before they act.
Lets be clear: This is a Really Big Deal. With the capital letters and everything. The potential for harm to customers is bad enough, but it gets worse. Sony might well lose customers over this, and they will certainly dent the confidence of the indie game developers and other partners who rely on the Playstation network for their revenue stream.
Much worse is the way Sony have handled it, since the downtime began on the 20th of April. I see two options here and neither of them end well for Sony:
- Sony knew of the intrusion on the 20th of April(by which I mean that user account details had been compromised, not merely that service had been interrupted)and didn't bother telling customers for nearly a week .I can understand the need to try and put a good spin on things but as I've said before, once you've been hacked the Bad Thing has already happened. Your first duty is to stop it getting worse. And "hacked and allowed customers to be victims of identity fraud because you sat on your ass for 5 or 6 days" is definitely much worse than "hacked but acted quickly to warn customers they were at risk before anything bad could happen".
- Sony didn't know the extent of the intrusion until the 26th of April. This suggests that either their security and monitoring tools are, how shall we put this.... laughably inadequate, or that the site was compromised so badly that the hackers have effectively had their hands thrust so deeply into the site that they've been using it to put on puppet shows for their friends for a week and Sony have only just now pinned them down and grabbed it back off them.It's easy for people like me to sit on the sidelines and sneer about the possibility of this, but for an organisation like that, with a user-base like that and the budget they should have for securing everything that really would be shocking.
Still, if you do work for Sony, I have some advice for you. The scale might be different but the actions you need to take remain broadly the same. If you don’t work for Sony then don’t just laugh at their discomfort. Consider if there are any lessons your business needs to learn from this. What would happen if someone stole customer details from your website tomorrow? How would you cope with it?
As an aside, I bet there are a few people staying late at the Microsoft and Nintendo offices, and probably a few others, since this news broke. Whether they’re partying and laughing so hard that some of them have dislocated their jaws or whether they’re burning the midnight oil double and triple checking the security of their own systems is left as an exercise for the reader.
Update
As per the Register, Sony have issued more information about the intrusion that suggests that credit card info, at least, is protected. This is good news, but given that people tend to use the same passwords, security questions, etc on more than one site I’d still be worried.