There’s little disputing that Sony has just suffered one of the biggest consumer security screw-ups in history. But that’s made worse by what can only be described as awful communication.
For those who’ve somehow missed it, the story in short is that Sony’s online gaming system, the PlayStation Network, has been offline for a week. Yesterday the company revealed this was a response to a hacker breaching the system and gaining access to most if not all of the data users had stored when setting up their PSN accounts.
The questions about how this happened from a technical perspective are naturally dominating public response, but as a tech blogger with a background in both journalism and public relations, it’s clear to me that Sony’s communications during the crisis have made things far worse than they need to be.
The problems began the moment the service went offline and users switching on their PS3s were simply greeted with the message that there was a “80710A06 error.” Now, it’s certainly possible that the problems meant Sony was unable to send out a custom error to users, but even then, it would have been a smart idea in the first place to customize this error message so that it explained the problem in plain English. Certainly most users were probably savvy enough to search for the error code online, but with 75 million PSN account holders, I’m sure there were a huge number of people needlessly left thinking their console was faulty, turning to Sony’s help lines and forums for help.
Then we turn to the silence of the next few days, during which the extent of Sony’s communication boiled down to “Yeah, it’s broken, we’re trying to fix it and it’ll probably be done soon.” Not a word until yesterday about the data breach.
Sony has now attempted to explain that by saying “We learned there was an intrusion on April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.”
That’s simply not good enough. Even if it’s true, it’s not believable. It simply doesn’t make sense to outside onlookers that it could take six days to figure out that data had been compromised.
Let’s be honest: had Sony announced the breach (or even the possibility of it) a few days ago, it would have made little practical difference to most users: smart security practice it may be, but in reality few of us are going to bother figuring out the login details we used for PSN and then check whether we use them on any other accounts or sites and update them appropriately. But what matters here is perception: the longer it took Sony to reveal the breach, the more people are upset by the amount of time during which they had no personal control of the situation and the risk to their data, and the more it looks like Sony was trying to keep things secret.
The lack of information also creates another perception of the company, however unfair it may be: that it spent six days acting as if the biggest concern was getting people back online and gaming, detracting attention from the question of security.
To make things even worse, Sony is adopting what comes across as a policy of secrecy about how the problem came about, hiding behind the excuse that security makes it impossible to share any further details. That policy simply leaves customers asking tough questions — did Sony really store everyone’s data in a single location in unencrypted format — and assuming the worst. Either Sony screwed up to a spectacular deal and is shy about saying so, or it’s missing a valuable opportunity to clear things up.
And then we turn to the credit card issue, on which Sony says “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.”
Certainly I’m not going to criticize the company for mentioning the possibility — indeed, the fact that it didn’t do so earlier is likely going to feature in the inevitable class action lawsuits. But more detail really would have been helpful here. Sony needs to explain in layman’s terms why it is possible the card details have been compromised and what if anything mitigates against the risk, at least giving users a shot of assessing the likelihood of a breach. As things stand, it comes across as Sony simply throwing out a blanket warning in the hope of escaping any legal responsibility if people suffer credit card fraud.
And finally we have Sony publishing a Frequently Asked Questions list today, 19 hours after the initial blog post announcing the breach. Leaving aside the fact that most of these FAQs remain unanswered for “security” reasons, it’s mind boggling that the company couldn’t have figured out these queries and sought to answer them in the initial announcement rather than let the issues fester for almost a full day.