As Joel at Kotaku points out, Sony learned about the network break-ins on about April 20 and did nothing to alert customers until the 26th, a move that points to a great deal of hubris and foolhardy bravado on Sony’s part. Joel followed the trail from beginning to end, noting that Sony learned that something was amiss when servers began rebooting without intervention on the 19th. After examining the machines for a full seven days, Sony finally alerted “regulatory authorities in New Jersey, Maryland, and New Hampshire.”
What’s wrong with that picture? Well, on the 22nd Sony informed the world that nothing was amiss and then, once the true scope of the damage was made clear, waited four more days to warn users that their data had been compromised. While one can agree with the statement that Sony may have not known what was up until, say, the first few forensics teams began to make their assessments, this does not excuse the company from ignoring the obvious dangers and putting users at risk.
Sony went through a lot headache here and it is not clear whether PSN users have suffered monetary losses yet from the hack. However, by sitting on the news for so long Sony management made it clear that saving face is more important than saving personal data. Six days is a long time. A little advance warning could have given all PSN members a moment to cancel their credit cards and to check their accounts for untoward activity. Instead, they had to wait, in the dark, until Sony saw fit to inform the world.
Check out Joel’s post and Ross Miller’s great tick-tock here.