Sony should have told customers about hack on day 1

By Luke Wilusz

Sony was recently caught up in the largest and most severe online security disaster this generation has ever seen, and the company has only made things worse by poorly handling it almost every step of the way.

The trouble started on April 20 when Sony’s PlayStation Network servers were taken offline. Sony said the network was “down for maintenance” at the time. Rumors of a security breach began to circulate on blogs and online forums. Meanwhile, Sony remained largely silent on the matter and refused to comment on what was wrong with its network.

The company said the downtime was caused by an “external intrusion.” Spokespeople also said it might take up to several days to get the network back online. Rumors persisted that the PSN had been hacked and users’ privacy was at stake, but Sony didn’t go public with the situation’s details until April 26.

When Sony did come clean, it was a rare scenario where the truth was actually grimmer than the rumors brewing on the Web. The PSN had indeed been hacked, and said hackers stole the personal data from its 77 million users. Sony confirmed private information such as names, addresses, emails, birth dates, passwords and login information was stolen. Even worse, the company could not confirm whether users’ credit card information had been accessed or not.

A letter to Congress from Sony Computer Entertainment of America Chairman Kazuo Hirai revealed that the company first detected the intrusion on April 20. Sony waited six days before informing its users their personal data was at risk, which is completely irresponsible.

While some users reported credit card fraud and are blaming the Sony hack for it, the company has not determined whether that information was stolen in the attack. However, Sony representatives insisted credit card information on the network was encrypted and stored separately from the accessed user data. They said there was no evidence that credit card information was compromised.

To make matters worse, the servers for Sony Online Entertainment, a division of the company that manages online computer games and Facebook applications, went offline on May 2, while Sony was scrambling to bring the PSN back online. Later that day, the company confirmed 24.6 million SOE accounts were breached, and 12,700 credit card account numbers were stolen. This second breach is believed to be part of the original hack and not a second.

While this may well be the worst security breach in the company’s history, Sony can’t be exclusively blamed for it. No network is perfectly secure, and any computer system can be breached. Sony just happened to be the target of this group of hackers, whose identities remain unknown.

While Sony could have invested more resources in its security infrastructure, the hackers are the ones who deserve the brunt of the blame. However, Sony is entirely at fault for keeping people in the dark while their privacy was at risk.

When a security breach can affect more than 70 million people, the appropriate response is not to sit quietly and hope things actually aren’t all that bad. Sony should have warned users immediately that their identities were at risk and told them how they could secure their information. The whole situation has turned into a public relations catastrophe, and things seem to be getting worse for Sony every day.

The technology giant is facing one class-action lawsuit after another as enraged users seek whatever sense of justice, comfort or retribution they can get from this fiasco. The FBI’s cybercrimes unit is looking into the breach. The Department of Homeland Security, the U.S. House of Representatives’ Subcommittee on Commerce, Manufacturing and Trade and 22 state attorneys general are also investigating the hack and assessing how much of a threat it poses to the American public.

Only time will tell how this situation will play out for Sony—and, more importantly, for the millions of people worldwide affected by the hack. There’s no denying this situation is dire, and there’s no way to tell how much worse it will get before Sony gets its systems back under control. All people can do at this point is cancel their credit cards and change their passwords, particularly if they used their PSN or SOE passwords for anything else.

They can limit how much this breach affects them by making sure each online account they have can’t be accessed using information stolen from their Sony accounts. People should use this latest snafu as a reminder that it’s always imprudent to keep all of their digital eggs in one giant, vulnerable basket.