There’s just no way around it. Sony really screwed up. And not just in the way they consistently have in the past. I mean big time. The outage that started last week and was finally addressed yesterday is worse than anyone expected, and naturally, someone has already sued.
The lawsuit alleges that Sony was both remiss in its security responsibilities and its duty to inform its customers of the problem. I think it’s got legs.
While the statement from Sony wasn’t as straightforward as we’d have liked, it’s not hard to see that this breach was serious from the very beginning and the extent of the information the hacker potentially had access to included passwords, credit card numbers, and everything else that should be near-impossible to access. If there was any chance that a hacker had access to my credit card — even encrypted, as they mention the information was — Sony should have said that at the very first moment they knew.
No doubt the various security, policy, PR, and other teams at Sony have been working frantically to come up with an official statement and damage report. But when very important details of some 77 million people are at stake, it’s probably better to overstate the danger at once to be safe. That way, people can make the evaluation of whether or not they are at risk.
By staying silent, Sony has potentially given the hackers a week-long head start on using, selling, or otherwise abusing the customer data. They knew it was bad from the start — the total shutdown is proof of that. And they should have told us. Were you one of the people affected by this? Keep an eye on this one.
Here’s the full text of the complaint: