Sony’s huge PlayStation Network (PSN) has been down for a week now following the theft of ID and credit card data on some or all of the gaming and video entertainment network’s 77 million customer accounts. Readers have been asking for comment but I stay out of these things unless I have something new to contribute. That something finally comes a week into the crisis as gamers begin to wonder why the network is still not back in operation and speculate on what this all means to Sony? It’s a huge loss of face, if course, but beyond that the damage to Sony is minimal. And the upside for PSN members, including those involved in the many emerging class action lawsuits, is likely to be bupkes. Nothing.
Recent history suggests Sony’s likely gift to users as an apology for losing their personal data will be some period of free credit monitoring and a free month of PSN service. If that sounds generous you might be surprised to learn that the going price for wholesale monitoring from the big U. S. credit reporting firms is approximately five cents per account per month or $3.85 million if all 77 million PSN accounts have been compromised. The usual terms for a mea culpa of this sort are three months of monitoring for a total cost to Sony of around $10 million.
“It will cost them more to send the e-mails making the offer than it will to provide the service,” said a source of mine in the credit reporting industry.
If you are hoping for big bucks from a class action lawsuit, go back and read PSN’s Terms of Service you clicked on without reading when you first joined the network. As with nearly all such legal agreements, you signed away any significant right to compensation beyond the direct cost of the service for the time it is disrupted. Only the lawyers will make a dime from this.
That is not to say that Sony doesn’t takes the attack or subsequent outage lightly. No Japanese company would. But the fiercely proud corporation also hasn’t gone out of its way to apologize. No Japanese company would. A funny thing about Japanese business culture is the tendency to apologize profusely for absolutely anything that is beyond the control of the company or its executives. They’ll apologize for traffic, for bad weather, for someone else’s mistake, but if the company or its leaders have actually screwed-up they generally won’t say a thing, which is not at all good for Sony’s global image.
This outage comes in large part because Sony has been so aggressive against hackers, who finally decided to slap-down the electronics giant. This is not to argue that Sony shouldn’t defend itself, but it is to argue that Sony should have expected elevated attacks as a result of its actions. Maybe they did expect more trouble, but the fact that they were so easily compromised shows corporate hubris at a reckless level.
Now let’s consider for a moment why this outage is continuing a week after the break-in. Speaking with a few experts and reading the official Sony FAQ gives some insight into what may really be going on. Sony says it is investigating, but should an investigation really take this long? Can’t the server logs and other network data be locked-down in a few minutes and examined at leisure? Sure. So when Sony says it is investigating what they probably mean is they are trying to fix the problem, seal the breach, and make sure that particular gambit cannot be accomplished again. This takes time — hours of programmer time and dozens or even hundreds of hours of QA time to make sure the fix scales properly and will work under a full network load.
Sony doesn’t say this, of course, but that puts us back to the fierce pride part. While they can admit a break-in they find it very difficult to say they are putting locks on the doors that never had them.
But wait, there’s more! In the official Sony FAQ and also the Official PlayStation blog there is an amazing admission that the company really has no idea how many user accounts were compromised. They suggest that users “assume” their data has been stolen. Well, was the data stolen or not? That big unencrypted or shoddily encrypted file with the details of 77 million account holders either left the building or it didn’t, right?
Sony doesn’t seem to know.
This is from the official PlayStation blog:
Q: Was my personal data encrypted?
A: All of the data was protected, and access was restricted both physically and through the perimeter and security of the network. The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.
Q: Was my credit card data taken?
A: While all credit card information stored in our systems is encrypted and there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained. Keep in mind, however that your credit card security code (sometimes called a CVC or CSC number) has not been obtained because we never requested it from anyone who has joined the PlayStation Network or Qriocity, and is therefore not stored anywhere in our system.
I love the part about it having been a malicious attack. Had the attack been less malicious, would less data have been lost? That is the sound of Sony whining.
When I discussed the attack with a friend of mine in the enterprise data security business he made an interesting speculation. “A really smart criminal would want to cover his tracks,” said my friend. “You can either grab the data and hope to slink away unnoticed or you can grab the data then destroy everything on your way out.”
In a worst case scenario, Sony doesn’t even know what vulnerability the crackers used to gain entry. Sony may be literally clueless.
The people behind this PSN hack didn’t want it to go unnoticed. They wanted Sony and Sony users to know they had been violated. And Sony’s apparent ignorance of just what was taken (possibly even how it was taken) plus the fact that the network is still down a week later strongly suggests the crackers may have thrown a few metaphorical hand grenades into the system on their way to Dennys for that celebratory Grand Slam breakfast.