As the initial hysteria (mostly justified) surrounding the Sony PSN breach subsides, more measured estimates of the damage are appearing, but more serious questions are becoming relevant. It’s still too early to be sure what the extent of the damage is, but the early and sensational estimates (propagated before Sony announced relevant numbers) seem to be giving way to a more complex, nuanced look at the damage. A few people have claimed suspicious activity on their accounts so far, but there doesn’t seem to be any systematic fraud going on – on the other hand, it isn’t easy to immediately leverage 10-15 million credit cards.
Sony announced that it will be reestablishing access to “some” PSN and Qriocity services this week, with a focus on access to account details, online play, and access to purchased media. Other services should be online within a month. As far as restitution, Sony is offering a month of Playstation Plus and Qriocity Unlimited for free, plus a free PSN download, currently unspecified. Security is, of course, being “enhanced.”
That would likely be enough to compound for an ordinary extended outage, but this was more than a glitch. Sony will likely get rougher handling from an investigation of their security practices than from frustrated customers.
An unofficial poll showed that a good number of gamers seemed to be resigned to sticking with PSN in some way — giving up the platform would be too great of a sacrifice for the huge number of consumers who, while angry, were likely only put out rather than affected materially by the breach. Sony will be making various ways to re-secure and audit your account available, and has said they will pay any fees associated with, say, credit card cancellation and reissuing. They also implied they will provide a secure “out” for users who want to just cut and run.
As we noted on Friday, Sony has secured help from several parties who, let’s hope, will lay their hands on the hackers responsible for the breach. But for every eye looking out for the hackers, there’s one looking hard back at Sony, who may be partially liable. While the criminal acts perpetrated by the hackers certainly deserve investigation, the other side needs a look as well — the primary question being not how did someone gain access, but why was so much data accessible via any method at all?
There are allegations going around that Sony was running outdated Apache servers, and that employees with no clearance were allowed within the physical firewall. Who knows but these may be true? At any rate, it’s clear that the databases containing personal information were insufficiently protected, and although Sony denies the credit card numbers were accessible, its careful wording seems to imply that the data was indeed taken. An official, independent investigation is almost certainly underway already (it being such a high-profile incident; indeed, the FBI is already involved), but it will take some time before any real results can be announced. Too little is known (or rather, too much of what is known is on questionable authority) for any kind of estimate of damages, and any criminal charges will have to wait as well.
A lawsuit has already been filed in advance of the facts, as they so often are, but if it’s done properly it will not rely on technical details, but rather Sony’s responsibilities to its customers as custodians of privileged information. Even if Sony were to prove elsewhere that it met reasonable standards for security, the response to the the breach seems to have been sluggish, even if what they say is true and they were unaware of the extent of the damage until a week after the event.
The greatest damage may be less easily quantifiable, though no less serious. It’s the damage to Sony’s brand. Apple, Microsoft, Nintendo, and Google (among other competitors in Sony’s many markets) have managed to go for years with no such catastrophic breaches — there have been some, to be sure, but the PSN breach is nice and easy for everyone to understand and judge, and the scale really is remarkable. I don’t want to say something like “it’s the beginning of the end for Qriocity,” but it may be that this evolving service is too weak at this stage to survive such a serious blow. It won’t help the launch of their new tablets, that’s for sure. And consumer trust, so difficult to measure, will only go down, at a time when a litigious and beleaguered Sony desperately needs good PR. Regardless of the actual material damage of this debacle, it looks likely to be an ugly year for Sony.