Sony PlayStation data breach fiasco: what bugs me about it


I have been skimming the glut of news stories covering the PlayStation hack following Sony’s statement yesterday.

The issues that keeps coming back to me are these:

1. Sony, like any company who keeps customer account details, is responsible for keeping this sensitive data safe.

So the question is, How could these details, potentially including credit card details, of a whopping 70 million users not be encrypted? It baffles the mind.

Perhaps the data was indeed encrypted, but if it was, how come Sony haven’t stated this?

Let’s say I accidentally leave my front door ajar, leave the house for a few days, and return to find that I was robbed. People will say I am a bit of an dodo brain, but I will still get sympathy from friends and family and we will all blame the thief.

But, if I convince all my friends and family to trust me with their prized possessions, pile their valuables on my coffee table, and then leave the front door open, I doubt they will be very supportive when I meekly approach them saying, “whoopsie – someone took them. These things happen, right?”

So it is no wonder that so many people are annoyed. They have a right to be.

What the F*** happened at PSN?

Having read Sony’s statement, they thank their “valued” customers for patience/goodwill/understanding (annoying in itself since I doubt many feel patient, generous or understanding). They also tell you to be wary of scams, which is all well and good.

But they don’t tell us what happened.

I really REALLY want Sony to stand up and explain how the company screwed up, how the bad guys got into their system, why the data wasn’t properly stored: a clear and concise explanation and, where appropriate, a straight-up apology for their oversights/misplaced bets/mistakes/etc

(Shall we place a bet on whether an APT was responsible? – sorry, couldn’t help it…)

It won’t get your data back, but at least we’ll all have some idea of how this happened. And it might do wonders to repair the trust issues it is bound to face with its stakeholders. More importantly, it will help other companies learn from Sony’s mistakes.

True, it can take some time to sort through all the bits and bobs before you provide a detailed explanation. But Sony set a rather slooooooow pace by waiting a week between its first announcement and yesterday’s statement.

So what can you do?

Read advice on your next steps, including changing your passwords and credit cards, from fellow Naked Security writer Graham Cluley.

Affected users have also been invited to get in touch directly with Sony if you have any questions.

Why not ask for a public explanation and apology? Feel free to share the response with Naked Security.