Today, Sony finally restored the PlayStation Network after taking it down for almost a month following a massive cyber-attack. The entire episode provides a cautionary tale that other companies ought to heed.
This article from the International Business Times summarizes the outage timeline quite well. In short, PSN was hacked around the 17th of April, and Sony shut down PSN on the 20th. Several days later, Sony acknowledged their discovery that a large amount of personal information was compromised. This included passwords, names and addresses, and possibly even credit card information. After numerous public apologies and promises, Sony finally got PSN back online this weekend.
Sony mishandled the entire situation, both from a technical standpoint and a PR standpoint.
First, the technical side of things. If the network had stronger security to begin with, none of this would have even been an issue. With cyber-attacks ever-increasing in frequency, scope, and complexity, tech companies need to stay ahead of the game more than ever. Sony clearly was not prepared for an attack of this magnitude. Though I sang the praises of the cloud in my post the other day, trusting another company to keep the cloud secure is what makes it a double-edged sword. Sony failed to keep data secure, and they are paying the price.
When it comes to security, though, here’s Sony’s most egregious error of all: unencrypted passwords. Even if the hackers managed to steal some information, this event would have been far less awful if passwords were encrypted. Unfortunately, from the appearance of it, they must have been stored in plain text or very weak encryption (hence Sony’s warnings to consumers and mandatory password changes with PSN going back online). In this day and age, storing passwords without strong encryption is simply inexcusable.
Let me also note that I have no sympathy for Sony in this entire situation, as their history with security was already shady. Does anyone else remember the rootkits bundled on CD’s they sold a number of years ago?
That, in a nutshell, sums up Sony’s failings from a technical perspective. How about from a PR standpoint?
First off, they were too slow to get out in front of the issue and communicate with consumers. It took several days for a blog post summarizing the issue. I understand that they were doing research to understand the scope of the attack, but they still should have communicated on a higher level than they did. You don’t want to incite panic and fear the worst, but you also have an obligation to inform customers that there was potentially a serious breach. In the weeks that followed, Sony improved somewhat, but they still couldn’t recover from that initial first-week hit. Later on, they missed their promised timeline to restore service, provided one vague blog update, and then went silent for four days until service was restored. Now, I’m not demanding daily updates if there’s nothing to report, but what are you paying your PR people for if they are going days without providing any useful information?
I’m not a huge gamer these days due to time constraints, so I really didn’t miss having the PSN available all that much. What bothered me more was Sony’s mishandling of the situation in all aspects. I’ve enjoyed my PS3 (and my PS2 before it), but I’m going to be much more hesitant when it comes to Sony products in the future. I don’t think I’m the only one, either – I imagine Sony’s brand equity has taken a sizable hit.
Other companies had better be paying attention. In this age, where more and more sensitive data is moving online, and cyber-attacks are becoming more and more common, another company could be the next target. What if it’s not just the PSN, but a bank or some other more important institution? Here’s hoping that companies in every sector are beefing up security and improving their responses from a PR standpoint as well.