One of the biggest companies in the world’s irresponsibility has cost the trust of its loyal fan base by putting millions at risk for credit card fraud and identity theft. It didn’t need to happen that way.
The PlayStation Network has been offline since Apr. 20 when Sony shut the service down to investigate a breach in its system.
In a week filled with blockbuster releases like Mortal Kombat, Portal 2, and SOCOM 4: U.S. Navy SEALs, the shut down couldn’t have happened at a worse possible time for Sony. These games feature PS3 exclusive content like the Kratos playable character in Mortal Kombat, Steam integration in Portal 2, and a flagship online multiplayer in SOCOM.
According to Sony, personal information like a person’s name, home address, telephone number, PlayStation Network username, email, answers to security questions, and password weren’t encrypted. Credit card information was encrypted and protected. Since the breach, many people are experiencing issues with unauthorized charges on their credit cards. Apparently that information wasn’t protected well enough.
These kinds of things are inevitable in today’s world, but that doesn’t mean they are completely unavoidable.
Sony’s communication has been extremely poor and downright unacceptable. The initial lack of updates, changing stories, and vague responses created a problem for millions of users unable to protect themselves because of faulty information. It took Sony an entire week to inform its users of the severity of the security breach.
At first Sony tried to hide the breach as server maintenance, downtime, and so on. The story kept changing while the situation kept getting worse. It knew the entire security infrastructure needed to be rebuilt. Sony didn’t let users know their personal information was at risk until a week later. Sony claims it didn’t know the severity of the breach and therefore didn’t inform anyone. That’s not a good enough excuse.
For the most part Patrick Seybold, Sr. Director of Corporate Communications and Social Media, has been the only one giving updates. In a situation like this, Seybold isn’t the man you want to hear from. Why was he the only one saying anything, much less on a blog? There weren’t any public statements from Sony executives for more than a week. Kaz Hirai gave a conference yesterday where he mostly repeated what’s already been known and didn’t provide anything substantial.
With so many ways to constantly keep in contact with its users, especially with social media sites like Twitter, Facebook, YouTube, and even the official PlayStation Blog, there’s absolutely no excuse for Sony’s poor line of communication. There’s been no honesty or transparency from the company.
It’s understandable that Sony cannot be fully transparent on the technical details because it gives hackers more ammo. Still, the week delay and asking people for their “patience” is an insult to its users.
The company continues to say that, “there is no evidence at this time that credit card data was taken.” Sony won’t admit it already has. Stories are already surfacing across the internet of people experiencing fraudulent charges. During the press conference, Kaz continued to deny knowledge of credit card fraud. Now, is Sony lying, or are all these people? Whose best interest is it to lie here?
Should we believe Sony is telling the truth and it’s all just a massive coincidence that people are slowly reporting credit card fraud in the days after the PSN breach? Sony has still yet to confirm if the credit card’s CVV codes were stolen as well. With the way it protected personal information, it’s not a far stretch to assume that the credit card information was poorly secured too.
The Responsible Party
“Anonymous” hacked Sony a few weeks ago, affecting the PlayStation Network and not allowing gamers to play online. Sony claimed the PSN outage was due to “sporadic maintenance.” More than likely, the Anon attack exposed the frailty of the PlayStation Network, and emboldened other hackers to try to go further and steal sensitive information from Sony’s database.
The company should have issued a warning to PlayStation users then that their personal information could be at risk due to Sony’s network security. PSN should have been immediately shut down and its security enhanced. It wasn’t. During the conference, Sony claimed the breach between Apr. 17-19 was the only one that’s happened. This completely ignores the Anon attack which was a prelude to the current issue.
This latest attack is by opportunists looking to get rich by stealing and selling credit card and other personal information. Their actions are nothing but deplorable and despicable. While the responsible parties should be found and prosecuted for what they’ve done, they aren’t the only ones in the wrong.
Sony has a major role in this situation. Don’t put all the blame on “hackers.” Don’t only blame George Hotz, the face of the PS3 hacking community. Sony are the ones in charge. Blame Sony for not properly securing sensitive user information. Blame Sony for keeping its users in the dark.
Sony didn’t encrypt personal information. Why wasn’t this information protected? The fact the company needed a revamping of the entire system implies its security was below the necessary standard. Sony admitted the exploit was a known vulnerability, yet it didn’t secure the problem until it was too late. Even though Sony has worked on a new data center that’s been “under construction and development for several months,” it still left PSN users in a state of limbo and in danger of a situation like what took place.
It doesn’t matter that Sony and PlayStation officials are getting hammered by the media over the situation. No one should care about the PR nightmare this is causing Sony. The only nightmare that matters is the one created for millions of gamers. Sony aren’t the victims here. To claim so is absurd. The Sony apologists are enabling the company to avoid responsibility for its careless actions.
During this time, undying brand loyalty is ridiculous. This has nothing to do with fanboyism. This has nothing to do with the quality of the system or PlayStation 3 games. The PS3 has an amazing list of games and downloadble PSN titles. This has to do with a multinational, multi-billion dollar corporation having a total lack of regard for its customers.
Sony’s lawyers had time to recently write up a new Terms of Service, but not the time to create a message on the PlayStation Blog or mass emails during the initial stages of the PSN outage. In Section 15 of the latest Terms of Service, Sony added that it’s not responsible for PSN outages. How conveniently timed. The fact Sony updated the PlayStation Network TOS only a few weeks ago shows the company had foreknowledge of something brewing on the horizon.
This situation is much deeper than simply hackers looking to make a quick buck by stealing credit card data.
Sony’s reaction to the hacker community and their handling of a court case brought on the wrath of other hackers and led to this latest attack. This all started when Sony took away a feature like Linux post-sale through a mandatory firmware update in March 2010. This upset many PS3 users. Then Sony went after George Hotz in a lawsuit for “jail breaking” the PS3 and distributing that information online.
During the lawsuit, Sony Computer Entertainment America wanted a federal judge to grant it the IP addresses and other personal information of people who visited Hotz’s Web site. Sony also wanted Google to hand over the identity of anyone who even watched or left a comment on Hotz’s YouTube videos. Those people didn’t do anything illegal. Hotz and Sony eventually settled the case earlier this month.
Addressing the security breach on his official blog, George Hotz said:
The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts.
Sony wanted to throw its corporate weight around, and it got burned, along with millions of innocent PSN users. Sony simply doesn’t care about the consumer. Period. No one should be defending them. Sony’s anti-consumer actions and the company’s total lack of respect for its users is shameful.
The Damage is Done
While Sony has made great strides in improving the quality and image of the PlayStation 3 and PSN since the system’s negative launch in 2006, this latest series of actions sets that progress back to zero.
The PlayStation and Sony brand are damaged. It will take months to repair its image. After this fiasco, how can anyone trust Sony in the future? Is this new network really as secure as it needs to be? It doesn’t matter how great games like Uncharted 3 will be if users don’t feel safe playing on the system. Regaining its users trust will be a long process.
Who knows how deep this problem goes. How long has Sony been this inept? Since the creation of the PlayStation Network five years ago?
The New York Times reported that 2.2 million credit cards might be for sale by the hackers. Kaz said there’s close to 10 million PSN accounts with credit card information tied to them. That information has been out in the wild for more than a week now. While the word has finally gotten out and people are now monitoring their credit card statements, the financial and psychological damage has already been done.
This should have great ramifications for the game industry and privacy rights. Online has become a rising force in console video games, something that was unimaginable ten years ago. Online gaming is no longer a luxury when developers and publishers are incorporating so many online capabilities into their games. Free service or not, people still paid $300 for the PS3 system and $60 for their games. Players cannot use features in their games because PSN is down. If a player uses a PSP Go, they can’t buy and download new games because the system is an all digital format.
Why does Sony, Microsoft, and Nintendo need so much of a player’s personal information just to play their games? Why do players need to accept unintelligible terms of services just to be able to play the latest games they purchased with their hard-earned money? Why are online features like trophy syncing and access to PSN necessary to play retail and downloadable games? These concepts need to be strongly reexamined going forward.
Sony needs to let people know exactly how it will be protecting people in the future. Vague responses and generic terms like “robust and strong security” won’t cut it anymore.
At the end of the day, Sony will spin this so the hacker community will take all the blame. Sony has worded its updates in a way that deflects any responsibility from the company. With the way Sony is talking (“criminal act,” “malicious actions,” “external intrusion”), one would think it’s just an innocent bystander caught in the middle of a terrible circumstance beyond its control.
Sony cannot hide behind lawyers, mindless PR robots, delusional fanboys, and terms of services this time around. It cannot hope everything just blows over and people forget. The company needs to be held accountable for its role in this disaster. Free games and downloads doesn’t automatically make everything right.
Kaz said users will be compensated with a free month of PlayStation Plus and other downloads. A trial version of a paid service and a free PlayStation Network download isn’t going to be enough for the trouble its caused for millions of PSN users. The free PlayStation Plus could be seen as nothing more than a marketing ploy, because users won’t get to keep the free content once the trial has expired. Ironically, people will have to give their credit card information to continue to subscribe to the service.
The only worthy compensation Sony should provide is taking full responsibility for the situation, making the PlayStation Network one of the most secure on the planet, and restoring the broken trust with its millions of users. “Welcome Back” isn’t just a catchy slogan for Sony to slap on a press release. It needs to be earned.
Photo by Sony