Howard Stringer, Sony’s CEO and the most visible target for criticism regarding the recent PSN data breach, has gone on an interview rampage, speaking with major news outlets to get word out that no network is fully secure and Sony went above and beyond the call of duty in its response. I don’t think users will agree, and though it may not be fair… well, tough.
The main issue seems to be in the first week, when it seems that Sony failed to notify its users that there was a serious breach and their data may be at risk. Stringer told the Wall St Journal:
We told people what we believed to have been lost and what we couldn’t rule out within a day of finding that out. That’s fast. That’s faster than what most companies have done. That’s faster than the law required and it was the responsible thing to do for our customers. You can’t find a company that acted any quicker once it found out. What you’re talking about is when we didn’t know anything you wanted us to reveal the information. That would have been irresponsible. If your house has been burglarized, you find out if you’ve lost something before you call the police.
It’s true that once they knew for the extent of the breach for sure, they were quick about saying so, and that’s to their credit. But the burglar analogy misses the mark, because in this case it’s not Sony that’s at risk here, it’s the users. And Sony absolutely, positively should have taken the bull by the horns within a day or two of the breach (the potential extent of which must have been known early on) and said “We got hacked. It’s serious. We don’t know how serious just yet, but serious enough that you might have to get a new card and change your password. We’ll have more information soon, but keep an eye on your accounts and let us know immediately if you see anything suspicious. Sorry for etc. etc. etc.”
Stringer was honest about Sony’s limited knowledge of the origins and intent of the hack, though he does put it at Anonymous’ door, which is playing with fire. But they have found no evidence of identity theft or credit card abuse, and are working closely with law enforcement, in addition to offering complimentary protection against those crimes.
It’s up to posterity to judge, of course, but I think the general consensus on this will be that Sony acted quickly and authoritatively, but by not inoculating themselves against the worst by being up front with their consumers, they allowed the news to get out by other means, and appeared to be afraid of the truth.