It Only Disappoints You

Let me say this first, because in the hullabaloo surrounding Sony’s almost criminally irresponsible handling of the ongoing PSN outage and compromised customer data, I feel like this point is quickly lost.

The bad guy (or at least the worst guy) in all this is the person or organization that hacked PSN.

I realize that Sony has managed in the aftermath to come off like the gawking bystander that hangs out watching as a horrific crime takes place, only thinking to bother calling the police long after the blood has dried on the sidewalk. In a way, it’s almost easier to be mad at that guy, and even to begin to blame him for the whole incident. I have to remind myself that the company didn't actually start this whole thing.

Sony is obviously not an intentional accessory to the actions that have crippled their system and exposed millions of customers to the worst kind of potential identity hazards, but like almost everyone else I am perplexed and aghast at their response. A response so bad that it has made virtually everyone madder at them than at the feckless waste of ejaculate who perpetrated the crime in the first place.

My initial reaction, however, was not anger. That has brewed very slowly, like a pitcher of tea steeping on the porch during a hot summer day. It wasn’t even surprise. It was something more like amused, cynical resignation.

This isn't just the Sony I had feared; it's the Sony I had expected.

On hearing that the company had not only allowed some anonymous hacker to waylay their online system for a what has already been a truly extraordinary period of time, but also failed to disclose or even recognize that customer data had been compromised until nearly a week had passed, I felt a lot like I do when I read stories about Donald Trump. That is to say vaguely annoyed and at the same absolutely amazed at the magnitude of idiocy involved.

Watching Sony muddle their way through this latest blemish on their already not-particularly-good name, I feel like I might actually be watching a Monty Python skit on how not to react. It's like responding to getting slapped in the face by just slapping yourself even harder. I keep expecting one of the talking heads from Sony to suddenly start doing funny walks or be stomped on by a giant cartoon foot. If it weren't so painfully serious, it would be comical.

From here on out, however, my confidence in PSN and the parent company, not only as someone who watches the industry but as a past Sony consumer, feels irretrievably ruined. Without measuring Sony up artificially against other consoles—looked at alone in the harsh, cold spotlight—there’s no good reason I can imagine to ever again trust them with my personal information. I'd sooner give my credit card number to a Nigerian prince.

What I really hope, though, is that other holders of my information are paying close, damn attention. Frankly, it’s easy enough for me to throw the Sony out with the bathwater, I don’t have a lot of collateral at stake in our relationship. In the end, I still feel happy enough having a decent Blu-Ray player and a system that I may occasionally boot up to play some rented exclusive. It would be a lot harder to walk away if this were Microsoft or Steam instead, and I feel for the people who would like to extract themselves from Sony’s grip but who have invested countless dollars into the PS3 as their gateway into gaming and social spheres.

I sincerely hope that there are a lot of much smarter people kicking around making sure that the same sorts of vulnerabilities aren’t manifest in the systems I depend upon. I realize no system, certainly not those as complex as these gaming portals, can ever be completely failsafe. So what matters most is how prepared a company is to react to a crisis, and I can’t help but feel like Sony just got their butt kicked in the parking lot of a bar and has decided to react by bleeding on the ground for a while.

It’s just the first in a flurry of street brawls I suspect the company will likely endure as the first rounds of litigation begin to take shape and the media begins to have its field day. But, honestly, I’ll be watching with only a casual passing interest, because I’ll no longer have a dog in that fight. After all, I’m now only a former Sony customer.

Comments

Elysium wrote:
I'd say having the face of the company be a smug, smart alec VP is really starting to look like a dumb move now. But then, Sony just loves to affix their own "kick me" signs to their own derriere.

They're like the BP of gaming.

They should start issuing press releases via Marcus.

LarryC wrote:

I'd never put that kind of information on PSN! The security of buying prepaid credit points with cold cash is worth the small premium on pricing.

There's no premium if you buy them from Amazon, and you get the codes instantly.

This is good for people in my situation. For awhile now Sony has not allowed US credit card holders to add money to their PSN wallets if attempting to do so from a non US IP address. Could get around it using a VPN, but it was still a hassle.

Not that I disagree that it's a possibility but there's literally no proof beyond anecdotal timing that the Australian guy's fraud is a result of PSN. Credit card fraud happens to thousands of people every single day.

The story about 2.2 million European numbers being sold is also speculative and hasn't been confirmed by anyone. That said, I wouldn't be surprised if it does. So much for the data being encrypted if that's true.

There's a whole article/comments dedicated to those who feel the PSN hax0rz have used their stolen card data.

While I'm not a security expert, I do wonder if Sony implemented a reasonable amount of security to protect their customers. From other things I've read here and elsewhere about the PS3 security being cracked (long before the PSN breach), Sony's response almost seemed (to me, at least) nonchalant. I wonder if they implemented [/i]enough[i] security to protect the company from criminal negligence.

According to Ars, the facts to this whole debacle are that:

1. Credit card database tables were encrypted

2. Personal user information was NOT encrypted

3. The hack was most likely from the inside, someone like an employee

If the personal information included stuff like passwords and addresses, then that would be an easy way to get people's information for fraud. Even if you can't get the full credit card number that way, there are going to be methods.

This was very bad timing all across the board, though. Mortal Kombat just came out and no one can play online. Portal 2 just came out and no one can give the Steam overlay a whirl. E3 is in a little over a month and what are they going to say? I guarantee you Microsoft is going to have a subtle jab at the competition over this. Over at GameKrib.com a bunch of people are already saying "lol PSN sucks Xbox is worth payin for".

Either way, the reason PSN itself is down is because they're physically moving it, which has got to have the IT guys stressed out.

Oddly enough, I'm still starting to lean towards the Playstation even if I feel like Sony is blundering. As for how they're handling the situation, I think it's more a matter of no one knowing what to do. Do you come right out and say "We've been hacked, your info may be compromised, we're working on fixing it"? That would be some bad PR, and you know people would have been angry. I just think Sony didn't realize how bad the backlash would have been and has been giving details to try and calm everything, but it's like trying to stop a grease fire in the kitchen. Everyone's already mad, and the more you say, even if it is "the right thing", it'll piss people off.

Sony says they didn't save the CV codes on any cards used for PSN. That casts some doubt on the 2.2 card numbers being PSN booty.

Honestly, if this had happened to Microsoft, do we think that they would have handled it better? I'm not so sure after the RROD debacle.

At least it wasn't Apple, who would probably blame the users for "using it wrong".

If it really was an inside job, I think that may explain Sony's slightly slow and inconsistent response. I'm sure for legal reasons they aren't allowed to say anything until law enforcement and lawyers tell them they can. That would not be an easy situation to work through. In fact, I think it's pretty decent turnaround time to let us know what's going on. At least twice I've received letters in the mail from corporations telling me my information was on a laptop that was stolen months ago.

In the end I think it'll mostly blow over in a few weeks and people will mostly forget about it. Gamers have proven willing to put up with a lot once they are invested in a system. Yeah, I've taken some extra precautions to make sure my information is safe but I don't see it as a reason to never purchase from Sony again. Could Sony be managing this better? Sure. I guess I just don't see it as quite such a big deal.

Maybe I'm just willing to give Sony a pass since the PS3 is my main gaming platform these days, though

Dreaded Gazebo wrote:

Yeah, I've taken some extra precautions to make sure my information is safe but I don't see it as a reason to never purchase from Sony again. Could Sony be managing this better? Sure. I guess I just don't see it as quite such a big deal.

This.

And not this.

Having to maintain fraud alerts with Experian, Equifax and Transunion for the next couple of years (once every 90 days) is a nuisance. But necessary, because the exposed account data can be used for identity theft. That's worse than violating an easily-cancelled debit card.

Although, the debit card exposure is a significant nuisance as well. Suffice it to say, underinsured + cancer + late medical bills = reduced ability to move from a (now cancelled) debit card to a credit card.

How big a deal it is for you depends on how easily you can get into new data after the old data is exposed.

A little story... A swing dance instructor/promoter in my area was having problems with his finances, and with equipment (such as MP3 players and speakers) being lost/stolen/broken. He asked for donations in order to replace the losses. I, along with others donated. I don't know what happened to that money, but it never went to replacing the lost stuff, because he's still in the same position over a year later. He's also failed to deliver on services purchased in advance, such as a series of private dance lessons.

Moral: I'll never buy anything in advance from him again, nor will donate anything to him that hasn't been inextricably linked to the thing he's supposed to buy with that money. Any money I give him will be for something that can be satisfied immediately.

I'm adopting a similar policy with Sony. I won't give them any information that I wouldn't want to fall into the hands of a malicious party, nor will I give them anything for services to be rendered later, nor will I trust them with any secrets such as debit card numbers and CCVs. And any credit cards I give them will be watched closely for fraudulent activity, because I can't trust them to keep anything safe. And I certainly can't trust them to inform me in a timely fashion if they have a breach.

So I'll still do business with them... but I'll also watch them like I would Smeagol (Gollum).

Hans

Nevin73 wrote:

Honestly, if this had happened to Microsoft, do we think that they would have handled it better? I'm not so sure after the RROD debacle.

You really think that MS wouldn't have MajorNelson and the rest of the XBox Live PR staff doing damage control from the moment that the service went down until the end of time? I find that completely unbelievable.

MS has a lot of smart people doing PR for them. Sony has an actor that's doing the job for them. There's a pretty huge difference there.

cube wrote:
Nevin73 wrote:

Honestly, if this had happened to Microsoft, do we think that they would have handled it better? I'm not so sure after the RROD debacle.

You really think that MS wouldn't have MajorNelson and the rest of the XBox Live PR staff doing damage control from the moment that the service went down until the end of time? I find that completely unbelievable.

MS has a lot of smart people doing PR for them. Sony has an actor that's doing the job for them. There's a pretty huge difference there.

I agree. Major Nelson is great for Microsoft because he's a real person actively involved not just in PR, but in day-to-day operations of Xbox Live. As far as I can tell, Sony has no one. Patrick Seybold is doing the updates on the PlayStation US blog, but Sony hasn't really made him the face of PlayStation PR. Also Microsoft has Edelman doing Xbox PR--who is doing Sony's? I won't be surprised if this is a result of them trying to do it all themselves.

wordsmythe wrote:

If there's something that bugs me about Sony's response, it's that they don't seem to acknowledge their responsibility to minimize and help users minimize the fallout. That's not just an ethical responsibility, it's a legal one, and one that I'm sure will show up in the law suits.

I agree they have some responsibility to help users minimize fallout.

I would never expect them to admit culpability. Just knowing that they potentially face law suits of a few different kinds will mean that they're being very careful about admitting guilt for anything.

reading your reply more carefully, as the coffee takes effect, I see your thoughts were limited to assiting customers with recover.

ccesarano wrote:

As for how they're handling the situation, I think it's more a matter of no one knowing what to do. Do you come right out and say "We've been hacked, your info may be compromised, we're working on fixing it"?

Yeah, you do. It's a matter of owning up to your own f*ck-up when it affects other people. Personally, I've got a lot more respect for the guy that says, "We screwed up and we're telling you early because it might affect you" then the guy that doesn't say anything, hoping that it doesn't affect me, and then lets me know at some unspecified point down the road.

PSN = Prince of Scams from Nigeria.

Eh, I got nothin'.

Chairman_Mao wrote:
cube wrote:
Nevin73 wrote:

Honestly, if this had happened to Microsoft, do we think that they would have handled it better? I'm not so sure after the RROD debacle.

You really think that MS wouldn't have MajorNelson and the rest of the XBox Live PR staff doing damage control from the moment that the service went down until the end of time? I find that completely unbelievable.

MS has a lot of smart people doing PR for them. Sony has an actor that's doing the job for them. There's a pretty huge difference there.

I agree. Major Nelson is great for Microsoft because he's a real person actively involved not just in PR, but in day-to-day operations of Xbox Live. As far as I can tell, Sony has no one. Patrick Seybold is doing the updates on the PlayStation US blog, but Sony hasn't really made him the face of PlayStation PR. Also Microsoft has Edelman doing Xbox PR--who is doing Sony's? I won't be surprised if this is a result of them trying to do it all themselves.

I don't think this has to be the comparison everyone keeps drawing. I don't care whether other companies would have handled it better, I care that Sony handled this poorly.

wordsmythe wrote:

I don't care whether other companies would have handled it better, I care that Sony handled this poorly.

Exactly my thought. We shouldn't be judging Sony in regards to how someone else would handle it.

Do I feel sorry for Sony? Yeah, I do. It really sucks and is going to require a huge investment in time and money to rebuild trust, and that's not an easy thing to do.

I should have only quoted cube's last sentence--on a day to day basis, Microsoft actually does PR for Xbox, while Sony relies mostly on advertising for the PlayStation. Sony doesn't need to learn from the competition, it just needs to learn how to communicate with its users beyond advertising, which really only goes one way. Sony's PlayStation blog, Twitter feed and Facebook page leave a lot to be desired.

One example of a great PR opportunity Sony has so far totally screwed up on: http://share.blog.us.playstation.com/

They ask us to share our ideas on how to improve PSN, and yet none of the top 5 ideas have been implemented. What's the point Sony?

And here I was, thinking I might pick up a PS3 sometime next month to play the great PS3 exclusives I've heard extolled about the web-o-sphere 6000. Nope.

HedgeWizard wrote:

And here I was, thinking I might pick up a PS3 sometime next month to play the great PS3 exclusives I've heard extolled about the web-o-sphere 6000. Nope.

If I come across a good deal on Ebay or Craigslist, or if Sony decides they need to aggressively push for sales, I might pick up a PS3. The odds of me using it online are rather small, as I would still play all of my sports games over XBL. But getting a shot to play LBP and Uncharted would not suck.

A Gamasutra editor (who also works for a Marketing Agency) has posted an article agreeing with some of the comments here, from the point of view of brand management and PR.

Jayhawker wrote:
HedgeWizard wrote:

And here I was, thinking I might pick up a PS3 sometime next month to play the great PS3 exclusives I've heard extolled about the web-o-sphere 6000. Nope.

If I come across a good deal on Ebay or Craigslist, or if Sony decides they need to aggressively push for sales, I might pick up a PS3. The odds of me using it online are rather small, as I would still play all of my sports games over XBL. But getting a shot to play LBP and Uncharted would not suck.

My thoughts exactly. As I said previously, I personally don't care about PSN. The fracture in customers' trust in Sony sucks for all PSN users, definitely-- but if this results in my acquiring a PS3 on the cheap(er), then I'll be happy for myself, at least.

The Sony response doesn't surprise me, I used to play Sony MMOs.... I think anyone in that boat isn't surprise in the least.

Sony is a Japanese company. Everything they do (including this) makes that painfully evident. If you understand Japanese culture (government/business culture) then this is... normal.

Where we get shocked by it is we almost never interact with a Japanese business culture here - most places have American subsidiaries that deal with Americans. Sony does, but it's a facade, Japan runs the show.

If we were all in Japan this type of response wouldn't even show on our radar. Just look at how the government has been handling the Nuclear crisis.

JP: "It's not that bad."
US Media: "All our gov bodies say the evacuation zone is 1/2 the size it needs to be."
JP: "Nope, not bad, stay at home, close the windows."
US Media: "As bad now as Chernobyl."
JP: "..."

I started moving my passwords to LastPass when my Gmail was compromised two days after PSN went down. (no way to prove that they are/aren't related). I now have a totally random password for every website/etc.

This is a great reminder to make sure that you aren't using the same username/password in multiple places.

Ok I understand how people can be pissed at Sony for this, but with a call to your bank you can be issued another credit card with a new number and you'll save yourself any worry. As for the the other info that was stolen... well i suspect that most phone books would contain the same morsels of information, so I wouldn't exactly be up in arms about it.

Has Sony lost trust with me? A bit, but not anywhere close to how much trust I lost with Microsoft and the Hardware debacle that took 2 years to fix. This PSN breach won't cost me a thing. However with the xbox, I've already had to spend money to replace the refurbished unit that I received in a RRoD warranty replacement of my original (on my 4th and last xbox now).

With that said, I will be purchasing prepaid Sony points instead of using my credit card. In fact I will probably be doing that for most of my online gaming stuff now. It just makes good sense.

JubaCat wrote:

Ok I understand how people can be pissed at Sony for this, but with a call to your bank you can be issued another credit card with a new number and you'll save yourself any worry. As for the the other info that was stolen... well i suspect that most phone books would contain the same morsels of information, so I wouldn't exactly be up in arms about it.

Has Sony lost trust with me? A bit, but not anywhere close to how much trust I lost with Microsoft and the Hardware debacle that took 2 years to fix. This PSN breach won't cost me a thing. However with the xbox, I've already had to spend money to replace the refurbished unit that I received in a RRoD warranty replacement of my original (on my 4th and last xbox now).

With that said, I will be purchasing prepaid Sony points instead of using my credit card. In fact I will probably be doing that for most of my online gaming stuff now. It just makes good sense.

You're kidding yourself. The phone book doesn't have my birth date, email address, login information, and security answers (mother's maiden name, etc.). This is the sort of information someone could use to forge an identity, and is far more lucrative to identity thieves than credit card information on its own. If you haven't opened a fraud alert with the credit reporting agencies, you are leaving yourself open to identity theft. So yes, this data breach has a pretty good potential to cost you a hell of a lot more than RROD Xboxes if someone were to open lines of credit or other accounts in your name.

This is what it is, though. If Sony couldn't conceive that this breach involved the theft of data from the beginning, it is easy to see why they reacted the way they did. I'm not justifying it, but it's pretty typical of corporate PR, Japan or U.S., to react slowly and avoid opening themselves to liability. In hindsight, it is shameful that Sony didn't acknowledge what was happening whatsoever until six days later.

I haven't lost faith in PSN or Sony, because I think hackers will always be a step ahead of any steward of data. PSN was the target this time. I really wish they would have handled the fallout better, because I feel lucky that my credit report was still clear when I learned of the breach.

JubaCat wrote:

Ok I understand how people can be pissed at Sony for this, but with a call to your bank you can be issued another credit card with a new number and you'll save yourself any worry. As for the the other info that was stolen... well i suspect that most phone books would contain the same morsels of information, so I wouldn't exactly be up in arms about it.

Has Sony lost trust with me? A bit, but not anywhere close to how much trust I lost with Microsoft and the Hardware debacle that took 2 years to fix. This PSN breach won't cost me a thing. However with the xbox, I've already had to spend money to replace the refurbished unit that I received in a RRoD warranty replacement of my original (on my 4th and last xbox now).

With that said, I will be purchasing prepaid Sony points instead of using my credit card. In fact I will probably be doing that for most of my online gaming stuff now. It just makes good sense.

I would just like to point out that I A) like your forum name and 2) like your avatar. I didn't even read your post until after I wrote this.

Evo wrote:

You're kidding yourself. The phone book doesn't have my birth date, email address, login information, and security answers (mother's maiden name, etc.). This is the sort of information someone could use to forge an identity, and is far more lucrative to identity thieves than credit card information on its own. If you haven't opened a fraud alert with the credit reporting agencies, you are leaving yourself open to identity theft. So yes, this data breach has a pretty good potential to cost you a hell of a lot more than RROD Xboxes if someone were to open lines of credit or other accounts in your name.

I concede that their are things that can contribute to Identity theft that were stolen. I don't however believe that it's the DEFCON 1 of cyberattacks. Good luck trying to get a line of credit without a SSN or a Drivers License without a birth certificate. These things can be forged for sure but I don't think my PSN password or security question is going to help expedite that process, therefore I am just as vulnerable as I was before the attack.

I'm not arguing against anyone taking steps to protect themselves. I think that makes total sense and I plan on doing the same thing you suggested. On the other hand, as long as my credit card info or SSN isn't the hands of the evil doers I'm ok with the info they have.

BTW I should disclose that I have moved since I created my PSN account, I never gave out my real phone number, I use a junk email account, and my security question was like my favorite pet's name (Juba Cat!!). So my vulnerability may be different then others.

Know what I think? I think Sony's security is going to be pretty dang up-to-snuff after this little incident. I think it'll be one of the safest places I could put my personal info online, going forward, what with the ramped up measures they're no doubt enlisting. I mean, Sony is at DEFCON 1 right now. They're locking thangs down. (Speaking as someone who, of course, has no idea what measures they're really taking.)

I'd be increasingly concerned, at this moment, with, say, Microsoft. And I know that Microsoft doesn't want in on the mix; you don't want your customers even second-guessing your security. But Microsoft needs to get their PR machine locked and loaded, too, because if I'm a parent that doesn't play with these machines, then I'm not necessarily going to single out Sony on this issue. As a parent, I'm going to be pissed at this whole entire thing called videogames, and I'm going to question the security of my credit card numbers on the Xbox and the Wii, too.

I'm extremetizing my example, of course, but I'm too lazy to temper any of this.

EDIT: I feel like I'm on drugs. I'm not sure I believe much of what I just said. Devil's advocacy is not my forte.