Image by AFP/Getty Images via @daylife
I guess some people may be impressed by three senior Sony executives, including Kaz Hirai, the group CEO of Sony Computer Entertainment, bowing deeply in apology for the massive security breach of Sony’s PlayStation Network. Maybe it a cultural thing, but color me deeply unimpressed. Sony’s behavior has been abysmal.
For those of you who are not gamers, or have been neurotically focused on the details of Osama bin Laden’s demise, a brief recap. On April 19th, Sony became aware of a hostile intrusion into its PlayStation Network, which has 77 million members worldwide. It shut down the network the next day, but did not say anything publically about being hacked until two days later. Inexcusable. More than 12 million of those members – myself included – had credit card numbers linked to their accounts. Why did Sony execs wait three full days before letting its customers know they might be at increased risk of identity theft or fraudulent transactions?
Not until April 26 – a week after the attack – did Sony admit that personal information (names, addresses, birth dates) were in fact stolen, and that they “could not rule out the possibility” that credit card data was also taken. It wasn’t until Sunday – 11 days after the attack – that Sony execs did the ritual apology and deep bow. Sony’s CEO Howard Stringer has yet to say anything publically about the attack and there have been open calls for his resignation.
Honestly, I don’t care if Stringer apologizes, is fired, or does enough deep bowing that he needs knee replacements. What I do care about is Sony’s lack of transparency and their seeming inability to issue clear, unambiguous instructions to their (former) customers.
Like for one, should users cancel credit cards linked to PlayStation network accounts? Having just braved a cold Manhattan rain to trudge to my local Citibank branch to do just that (Citi’s phone lines are clogged to the point of non-functioning), I want to know. Who will bear the costs associated with replacing these cards? The banks? Sony? Sony’s (former) customers? Obviously, I now need to remember every crappy Internet service I signed up for over the last decade with the same password as my PlayStation one and change them. Is that enough? What would be?
Sony sent a long(ish) letter to a Congressional subcommittee yesterday (view it here), but it is still rather lacking on specific advice. Hopefully Sony will start making sounds that make sense soon – Keep your eyes on @PlayStation – the PlayStation’s official Twitter account and the official PlayStation blog.
UPDATE, May 6th: Sony's CEO Howard Stringer finally offered a personal apology for the data theft, noting that “some believe we should have notified our customers earlier than we did.” Additionally Sony will offer all of its PlayStation Network customers a year of free credit and ID theft monitoring. It’s very late in coming – Sony became aware of the intrusion 26 (!) days before Stringer made anystatement -- but welcome nonetheless. Read Stringer's statement here.
