It Only Disappoints You

Let me say this first, because in the hullabaloo surrounding Sony’s almost criminally irresponsible handling of the ongoing PSN outage and compromised customer data, I feel like this point is quickly lost.

The bad guy (or at least the worst guy) in all this is the person or organization that hacked PSN.

I realize that Sony has managed in the aftermath to come off like the gawking bystander that hangs out watching as a horrific crime takes place, only thinking to bother calling the police long after the blood has dried on the sidewalk. In a way, it’s almost easier to be mad at that guy, and even to begin to blame him for the whole incident. I have to remind myself that the company didn't actually start this whole thing.

Sony is obviously not an intentional accessory to the actions that have crippled their system and exposed millions of customers to the worst kind of potential identity hazards, but like almost everyone else I am perplexed and aghast at their response. A response so bad that it has made virtually everyone madder at them than at the feckless waste of ejaculate who perpetrated the crime in the first place.

My initial reaction, however, was not anger. That has brewed very slowly, like a pitcher of tea steeping on the porch during a hot summer day. It wasn’t even surprise. It was something more like amused, cynical resignation.

This isn't just the Sony I had feared; it's the Sony I had expected.

On hearing that the company had not only allowed some anonymous hacker to waylay their online system for a what has already been a truly extraordinary period of time, but also failed to disclose or even recognize that customer data had been compromised until nearly a week had passed, I felt a lot like I do when I read stories about Donald Trump. That is to say vaguely annoyed and at the same absolutely amazed at the magnitude of idiocy involved.

Watching Sony muddle their way through this latest blemish on their already not-particularly-good name, I feel like I might actually be watching a Monty Python skit on how not to react. It's like responding to getting slapped in the face by just slapping yourself even harder. I keep expecting one of the talking heads from Sony to suddenly start doing funny walks or be stomped on by a giant cartoon foot. If it weren't so painfully serious, it would be comical.

From here on out, however, my confidence in PSN and the parent company, not only as someone who watches the industry but as a past Sony consumer, feels irretrievably ruined. Without measuring Sony up artificially against other consoles—looked at alone in the harsh, cold spotlight—there’s no good reason I can imagine to ever again trust them with my personal information. I'd sooner give my credit card number to a Nigerian prince.

What I really hope, though, is that other holders of my information are paying close, damn attention. Frankly, it’s easy enough for me to throw the Sony out with the bathwater, I don’t have a lot of collateral at stake in our relationship. In the end, I still feel happy enough having a decent Blu-Ray player and a system that I may occasionally boot up to play some rented exclusive. It would be a lot harder to walk away if this were Microsoft or Steam instead, and I feel for the people who would like to extract themselves from Sony’s grip but who have invested countless dollars into the PS3 as their gateway into gaming and social spheres.

I sincerely hope that there are a lot of much smarter people kicking around making sure that the same sorts of vulnerabilities aren’t manifest in the systems I depend upon. I realize no system, certainly not those as complex as these gaming portals, can ever be completely failsafe. So what matters most is how prepared a company is to react to a crisis, and I can’t help but feel like Sony just got their butt kicked in the parking lot of a bar and has decided to react by bleeding on the ground for a while.

It’s just the first in a flurry of street brawls I suspect the company will likely endure as the first rounds of litigation begin to take shape and the media begins to have its field day. But, honestly, I’ll be watching with only a casual passing interest, because I’ll no longer have a dog in that fight. After all, I’m now only a former Sony customer.

Comments

I'd never put that kind of information on PSN! The security of buying prepaid credit points with cold cash is worth the small premium on pricing.

LarryC wrote:
I'd never put that kind of information on PSN! The security of buying prepaid credit points with cold cash is worth the small premium on pricing.

Just, please, don't make the leap to telling everyone who did that it's their own fault for making such a dumb choice. I'm not in the mood for the trololol.

Elysium wrote:
So what matters most is how prepared a company is to react to a crisis, and I can’t help but feel like Sony just got their butt kicked in the parking lot of a bar and has decided to react by bleeding on the ground for a while.

Well put. Again, no system is invulnerable, but Sony's hesitant and noncommittal response has done major damage to consumer confidence. Has Valve ever handled a problem like this? I can't help but feel they'd have a much more effective contingency plan—for a PR response, if not a security response.

Elysium wrote:
I'd sooner give my credit card number to a Nigerian prince.

DEAR SIR OR M., I AM SURE AND HAVE CONFIDENCE IN YOUR ABILITY AND RELIABILITY TO PROSECUTE A TRANSACTION OF THIS GREAT MAGNITUDE INVOLVING A PENDING TRANSACTION OF U.S. $20 MILLION REQUIRING MAXIMUM CONFIDENCE. PLEASE TRANSFER FEE OF $5,000 U.S. FUNDS AT EARLIEST CONVENIENCE FOR TO EXPEDITE PROCESSING.

wordsmythe wrote:
I'm not in the mood for the trololol.

TOO BAD.

I think you've hit the nail on the head. It's not the fact they were hacked, it's the reaction. ANYONE could have this happen. But the fact that they LIED to start with, and then didn't come out with the truth until 6 days later is unforgivable. On 4/20 and 4/21 they were "investigating the cause of the outage" and then on 4/22 they said they took it down themselves. Now which was it? You're "investigating", or you realized you left the back door hanging wide open with a neon sign saying "COME ON IN HACKERS!" and had to slam the door shut to prevent any more loot from escaping out the back door?

I think to this very second that Sony believes they handled this fine, and if it were to happen all over again, we'd see no different of a reaction. I don't know if I can completely ditch my PS3, but for sure, any multiplatform games will be purchased on the 360 from here on out, and my information will not be accurate on the PSN any longer.

Sean - good points all, and as usual - I totally agree with you. I have been giving the ps3 a pass this entire generation out of a loyalty to the brand that began with the ps1.

Microsoft, I am all yours.

Right with you, Sean. I don't know why I was surprised at Sony's stupidity in handling this. I've already cancelled the credit card I use for online stuff, which I did use sometimes on the PSN to buy downloadable titles. That's actually the least concerning part for me, as I use this one credit card specifically for all online things I do because I know it's only a matter of time before it gets frauded. My name and address can be gotten far more easily than breaking into Sony's data centre, so I'm not overly concerned about people finding out where I live. I assume they already know. I'm more concerned about the fact that most people use a single password for most of their online accounts, which is of course a very bad idea in light of something like this.

I thankfully never bought anything on PSN or gave them my credit card, but I really wish they'd let me at least see what information got out there.

What password did I use? Did I put in my real name and address or an alias? Why did they need that information in the first place?

I'm honestly having to scramble to remember what other websites I have to PW change now because of this. I guess I just took auto-signing in for 3 years for granted, which is at least partially on me. Never again will I share my real information for something that doesn't have a valid reason to require it.

Time to make up a fake identity!

Cringely put out a decent article on this today. Basically, a lot of Sony's communication issues are cultural. Second, odds are the hackers broke stuff on their way out so people would notice they had been there because if you really want to steal stuff, you sneak in and sneak out.

I did cancel my credit card the same day Sony issued the press release, also my confidence on Sony was canceled the same day.

I recommend using https://lastpass.com for website password management. I have no connection except as a very satisfied customer. The service only costs money (and then only $1/month) if you use it on mobile devices.

This service is also recommended by Steve Gibson of the Security Now! podcast.

Hans

I use the free KeePass utility to create/manage my passwords. Last year I started moving from my 'default' password to randoms for each one. It helps keep me from shopping on Amazon while at work.

I wonder if this hits particularly hard because gaming is supposed to be an escape, a place to leave your everyday vigilance behind. Now it's another piece of life that you have to 'worry' over. Sony was supposed to be something you rooted for, like a favorite band or something, and not another company to cause you headaches.

I would say that all three console manufacturers have been pretty negligent this round of consoles, just in different ways.

Sony as stated above, Microsoft for producing the pile of junk that is the Xbox (nothing like getting to buy it 2-4 times), and Nintendo for gladly selling you a console, but not wanting to actually invest much money into software development.

I will say that the PC (even dealing with Microsoft selling it out for the Xbox), has been amazing. Sure I spent $700 on my gaming PC a few years ago, but People have spent at least that if not more on their Xbox 360's, once they died and had to be brought back to life how many times?;)

I for one, hope the next generation is one of lessons learned from this very rocky console generation, it will be better for everyone.

Ooo. I know how we can make this into the best event ever: Let's get some of that juicy data Sony let go of and cross reference it to Why Was I Banned? and Fat Uglu or Slutty. Game, set, match.

Some dude named Rothbart on the Sarcastic Gamer forums had some interesting things to say. I hope I'm not being a jerk for copy-pasting his entire post, but his perspective is worth adding to the discussion:

"I need to ignore Twitter right now... there are tons of people (and site feeds) spewing ignorance galore...

I work at a company that deals with data security... we wish everyone that lost a laptop or left data unencrypted had used our product(s) first. The fact is, NOBODY is impervious to being hacked. It happens all the time to tons of companies. It happens at a much larger scale than the 75M PSN users.

By data breach standards, what Sony has done here is the absolute text book implementation of what to do correctly. They didn't put protocol aside to keep selling PSN content. They didn't put protocol aside to let gamers keep gaming, potentially muddying up the systems being scoured for clues. They didn't try to hide that this happened. They didn't try to analyze it themselves but instead brought in experts.

The people and sites that are faulting Sony on how they've handled this so far are simply, and I mean no disrespect by the use of the very most accurate word I can think of... "ignorant" as to what they're talking about.

If you think Sony should've battened down the hatched and never gotten hacked... talk to the HUNDREDS of other companies/brands/organizations out there that have endured the exact same fate. If you think Sony shouldn't have been storing credit card information (at all or in a certain way) you should know that all there are now are recommendations or guidelines, there are no LAWS yet that force companies to certain degrees of protection and even if they were adequately protected, depending on the extent and nature of the hack, having them protected to PCI DSS guidelines STILL might not prevent people from getting to our credit card information...

That said, Sony said there was no evidence that our credit cards were compromised. They recommended (and to be honest, this was worded well) that "While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained." How can they be faulted for that? Would you rather them lie and say "you're safe" or "they were compromised"?

This was a text book reaction to a large scale data breach and unlike MOST companies where we'd simply get an unexpected letter in the mail, we were somewhat kept in the look by the raised awareness that PSN being down leading them to say something. You don't spill details during an investigation and these things take time. Hell, try checking out your computer after you've had a trojan installed and activated... now amplify that work by about a bajillion. Going through that stuff takes time."

Another great article. This has been a PR nightmare. I wonder what, if anything, Sony can do to bring gamers back to PSN and how many more XBoxes will be sold this month. I am not much of an online gamer but do occasionally purchase a downloadable game from PSN. It might be time to start looking into PSN cards for my purchases.

What has me spooked is that I still can't log in to cancel anything.

Parallax Abstraction wrote:

This will blow over and while some people will go through the huge hassle and expense to dump PS3 for 360, the vast majority won't and in a year, no one will think about this anymore. That's not necessarily a good thing as Sony and others won't learn anything if that's the case but well, that's usually the way things are.

True. But this is insanely bad timing for Sony.

From Dubious Quality:

March numbers:
Xbox 360: 433,000
Wii: 290,000
PS3: Apparently, so sh*tty that they won't even tell.

What are the April and May numbers going to look like? How much will this impact the holiday sales? It may blow over, but it also may kick-off the need for the PS4. That would bum me out, as I would like this console generation to go quite a bit longer.

No doubt. The NGP is due to come this year and it's supposed to be heavily about online. I wouldn't be surprised if a delay gets announced for it. Either that or Sony is going to spend truckloads on PR before then to try to make the general public forget about this as quick as possible.

Some dude named Rothbart on the Sarcastic Gamer forums had some interesting things to say. I hope I'm not being a jerk for copy-pasting his entire post, but his perspective is worth adding to the discussion:

Fair enough, but I disagree. If Standard Operating Procedure in the industry is to wait 6 days (or not know for 6 days) that client information may have been compromised, then SOP is broken.

I made a point of clearly stating that I don't fault Sony for being hacked, and I am completely ignorant on whether their data storage was up to snuff. Their response is what has caused me to lose faith.

If there's something that bugs me about Sony's response, it's that they don't seem to acknowledge their responsibility to minimize and help users minimize the fallout. That's not just an ethical responsibility, it's a legal one, and one that I'm sure will show up in the law suits.

wordsmythe wrote:
If there's something that bugs me about Sony's response, it's that they don't seem to acknowledge their responsibility to minimize and help users minimize the fallout. That's not just an ethical responsibility, it's a legal one, and one that I'm sure will show up in the law suits.

That's a very good point. I also agree that Sony's response to this has been calamitous. They should have e-mailed people much sooner (i.e. when they even thought there was a breach, not when it was confirmed), everyone's password should have been immediately randomized and a basic web site should have been put online to allow people to change their passwords or to delete their PSN accounts entirely if they so chose. If Sony's smart (and well, you know...), they will offer every user something substantial as compensation (i.e. not a month of PSN+ but like $15 of actual PSN credit). As for what they're going to do with the NGP or for that matter, their relationships with major publishers and developers, that could have even more fallout than the lawsuits.

wordsmythe wrote:
If there's something that bugs me about Sony's response, it's that they don't seem to acknowledge their responsibility to minimize and help users minimize the fallout. That's not just an ethical responsibility, it's a legal one, and one that I'm sure will show up in the law suits.

Logic. How can Sony acknowledge their responsibility when they have "very sophisticated" security? Just common sense.

I'd say having the face of the company be a smug, smart alec VP is really starting to look like a dumb move now. But then, Sony just loves to affix their own "kick me" signs to their own derriere.

Right now, EA and Activision have to be pissed. It's one thing to have a meltdown. But they are looking at two weeks of one of their revenue streams being shut off. And sony has bungled it enough that even when PSN goes back online, folks are going to be far less likely to buy stuff their.

Kudos to Sony for not going live before they could secure their network. But they don't get an "Atta boy!" for taking two weeks to do it. It would almost seem like PSN was a half-assed free service run with skeletal crew because it costs Sony money instead of making them money.

I've principally used my PS3 for exclusives (both disc and downloadable) and as a Blu-ray player and after this I will continue to. I will not be giving them my credit card number again and what little I do buy on PSN will be done with points cards. I use LastPass like the other poster recommended but unfortunately, my PSN password was the one I used to use everywhere. Thankfully, I've long since changed that password everywhere that matters. If someone wants to use my account on some random forum to post spam, have at it. It has all but been confirmed at this point that credit card numbers were encrypted so if fraud happens on my Visa, it won't be because of this. At the risk of being blunt, if you don't follow some simple rules to keep yourself safe online like using strong passwords and not duplicating them, you're asking for trouble and that particular part of this is your fault and no one else's. Sony should have automatically reset everyone's password or made a portal available to do it but those with good personal security policies are unaffected.

I'd have this same attitude if the breach happened to Microsoft or Steam for one simple reason: This can and will happen multiple times to multiple big companies in our lifetimes and if I start boycotting every company that I'm not sure has my information 100% secured, I won't be supporting anyone and I won't be able to game anymore. The fact is that right now, there is a real shortage of qualified security experts in the world and though we don't like to think about it, there are armies of amoral scumbags out there who think any information they can crack, they deserve to do with as they please. Hackers are banging on Microsoft, Valve (remember, Valve's been hacked before), Apple, Google, Facebook, Twitter, PayPal, banks, cloud backup services and any other important company you can name every day and one or more of them will be cracked some day, probably soon. Frankly if these hackers were truly elite, neither us nor Sony would even know this whole thing happened.

Don't get me wrong, I think Sony dropped the ball in an immense way here. This is going to cost them a ton of money, reputation and a lot of Japanese executives are going to end up resigning in shame over it. Many say that their bureaucratic Japanese management structure is to blame for their horrible communications and this may provide a big wake up call on that front. They deserve what's coming to them. Will they learn anything? I don't know. It's pretty clear at this point that PSN was rushed together because the PS3 was so desperate to come out in 2006 after Microsoft beat them to the starting line. They sacrificed security for expediency and no one cared to go back and beef up the system after the fact. That's inexcusable for a company of any size.

However, security is expensive and we live in a world where for most businesses, profit is all that matters. To a clueless executive, security is just another expense that's unnecessary until it's too late. That's how Sony saw it and it's how a lot of other companies see it. If you no longer trust Sony and will no longer buy their products, I certainly don't fault you for that position. But if you want to adopt a policy of only giving your money to companies you can trust with your data, you'll end up rich and bored because there isn't one. My opinion of Sony has been sullied but whether I partake in Uncharted 3 or not really has no impact on anything. And I like Uncharted.

This will blow over and while some people will go through the huge hassle and expense to dump PS3 for 360, the vast majority won't and in a year, no one will think about this anymore. That's not necessarily a good thing as Sony and others won't learn anything if that's the case but well, that's usually the way things are.

Jayhawker wrote:

Right now, EA and Activision have to be pissed. It's one thing to have a meltdown. But they are looking at two weeks of one of their revenue streams being shut off. And sony has bungled it enough that even when PSN goes back online, folks are going to be far less likely to buy stuff their.

This is going to be the biggest impact. Part of why the Playstation 1 & 2 were so successful is because they were seen as the de facto 3rd party consoles, especially for sports. That's what you purchased if you wanted to play Madden, NBA Live, etc. Dreamcast didn't have EA and it died in large part because of this. The 360 was already on its way to becoming the de facto system for 3rd party games. This may have just cemented that.

I keep thinking about DCUO. It's mind boggling to think that there is an MMO, a console MMO with a lot of resources put behind it to try and make an inroad on consoles and it's been down for over a week.

DSGamer wrote:
wordsmythe wrote:
If there's something that bugs me about Sony's response, it's that they don't seem to acknowledge their responsibility to minimize and help users minimize the fallout. That's not just an ethical responsibility, it's a legal one, and one that I'm sure will show up in the law suits.

Logic. How can Sony acknowledge their responsibility when they have "very sophisticated" security? Just common sense.

I'm not even talking about their precautions, though. I'm talking about their response, which can be as sophisticated as they'd like, so long as it's quick and staunches the bleeding.

I look forward to the huge(r) drop in PS3 sales that inevitably leads to discounted console prices. I REALLY want to play the Uncharted games. *fingers crossed*

I could care less about the online content of PSN-- as long as I can pop a disk in and play the game, I still want to get a PS3. I'm hardly playing games online anyway.

Granted, the way Sony has handled their customer base is sad-- there's not really anything productive or insightful I can contribute to this conversation. And reading my post back, I can see that there's really nothing I can contribute to the conversation AT ALL.

I'd say having the face of the company be a smug, smart alec VP is really starting to look like a dumb move now. But then, Sony just loves to affix their own "kick me" signs to their own derriere.

They're like the BP of gaming.