It's been a full week since Sony's PlayStation Network went belly up. For five of those days, the outage appeared to be just what Sony said--an outage. Yesterday all that changed when Sony admitted the "external intruder(s)" that prompted them to take the PSN down on Wednesday, April 20th, had in fact grabbed reams of personal information, and possibly (though unconfirmed) financial data such as credit card info. With upwards of 75 million PSN users affected, some are calling it the largest breach of confidential user information in history. Where does Sony go from here?
(More on PCWorld: PlayStation Network Hack Timeline)
So far, all we know about the PSN outage and security breach could fit neatly on the back of envelope. Someone broke in, Sony shut the service down, at some point opted to completely rebuild the servers, and finally admitted yesterday that the intruder(s) grabbed a pile of rudimentary personal info, e.g. names, addresses, and birth dates.
What we don't know, by contrast, could probably fill a book. For starters: What type of security measures had Sony enacted prior to the takedown? Did it ramp up security in the wake of attacks by hacker group Anonymous? Were the hackers related to Anonymous (Anonymous denies it was an official operation)? How did the intruder(s) gain access? Did the takedown have anything to do with "Rebug" custom firmware released by hackers earlier this month? Did Sony really not know until yesterday that a serious private information breach had occurred? Did the intruder(s) actually acquire credit card or other highly sensitive personal financial info?
(More on PCWorld: PlayStation Network Security Breach: A Survival Guide)
And what we'd really like to know: What sort of compensation will Sony provide Qriocity and PSN members (note that many pay $50 a year for PlayStation Plus premium membership)? Has Sony identified the parties involved? Does the presumably criminal activity constitute a serious enough felony (or series of felonies) to involve the FBI? What sort of security measures is Sony taking to ensure an attack like this--or worse--won't happen again? How will it convey that to its over 75 million PSN members and convince them not to jump ship?
The answer to the last question's the most troubling. Trust is earned, not established overnight. When the PSN comes back, as it will, Sony's going to issue press statements and probably dispatch a blizzard of emails to PSN members claiming the problem's been resolved and that they've essentially implemented a superior security system.
Easier said than done. When implementing new technology or revising existing system architecture, most companies takes months (and some years) to develop, implement, and beta test. Sony's in an absolutely awful position: It has to put in place cutting-edge security measures and do so as fast as possible. Each day the PSN's down the spotlight expands, the probability of long-term brand stigma increases, and the likelihood we'll see users trading in PS3s for Xbox 360s snowballs. At least two triple-A games launched last week for both consoles (Portal 2 and Mortal Kombat). PSN users had all of a day to play either online before Sony pulled the plug (to say nothing of all the other games affected, including single-player ones that require PSN access at startup for trophy synchronization).
(More on PCWorld: Portal 2: A Little Better All The Time)
Sony's also painted itself as a target for future attacks, both by legally going after hackers like Hotz (who says he only wanted to jailbreak the PS3, much as he helped unlock Apple's iPhone) and in a sense goading headless international hacking groups who'll see the new security measures as simply a new challenge.
Let's be clear here: Stealing confidential personal information is both unconscionable and unacceptable--as ethically unjustifiable as it is illegal. While Sony bears much of the blame for apparently failing to secure its services sufficiently, we shouldn't forget the real culprits responsible for its recent troubles (whether involved in this latest incursion or no, that includes Anonymous). They deserve the lion's share of the blame, should be pursued to the full extent of the law, and held accountable as such. There's a right way and wrong way to protest if you're frustrated with a corporate monolith. These recent events are unambiguously the wrong way.
Where does Sony go from here? Two priorities: Get the PSN back, and establish beyond the shadow of a doubt what was and wasn't compromised. At present, the question remains whether credit card info was obtained. Sony says it has no evidence of this, but won't rule it out. It needs to. And then it needs to get both Qriocity and the PSN back on its feet, assure customers both services are in tip-top shape, roll out a "peace offering" (refunds, credit toward the service or its products), and--obviously--ensure the service stays up and performs at acceptable levels, whether under siege or no.