What did Sony know and when did they know it? Those are the questions I've been asking ever since Sony revealed yesterday that not only had their popular PlayStation Network been hacked, but loads of personal data may have been accessed by "malicious" forces. This data includes full name, password, email, home address, and even purchase history. Sony initially said that credit card numbers were not part of the mix, but then basically said it couldn't guarantee that.
With these kinds of non-assurances, many Sony PlayStation Network members (that's about 70 million users, according to Sony) face the prospect of phishing attacks and the unpleasant task of cancelling credit cards and getting new ones.
It didn't start out this way. When the network first went down last week, Sony suspected hackers, but wasn't sure. The problem was severe enough that Sony acknowledged it might not be able to bring the network back online for a day or two, but no one was ringing any alarm bells. This was a nuisance that Sony would handle and investigate. Sony, by the way, likely became a hacking target when it threatened to "ban for life" some hackers who had published a rootkit for the PlayStation 3. The popular global hacking group "Anonymous" threatened Sony for this action, but when the PSN went down, it quickly announced it had nothing to do with it.
Sony's PlayStation Network is a lot like Microsoft's Xbox Live online gaming environment, with one crucial difference: Microsoft charges and Sony does not. Sony instead charges for individual products and services under the Network (Microsoft also has additional fees—which they charge as Microsoft points—within its service). Perhaps that's why many weren't that concerned about a hack on Sony's network. If no one is paying, what is there to steal? Of course, that notion turned out to be sadly naïve.
Nearly three days into the network outage, Sony's story changed a bit. It had actually taken the network down on its own to block an ongoing external intrusion. This suggested that the attack was ongoing and made me wonder: If no one is on the network, what's the value of this intrusion? Sony wasn't rushing to bring the PlayStation network back online and instead focused on rebuilding and trying to enhance its now pulverized network security.
Oddly, during this time, it was hard to find the Sony PlayStation member outrage. Were they really, as some reports suggested, chilling out, enjoying their downtime? Without network access, they couldn't buy and download music, movies and new games—but I assume they found other media and content access avenues. They also couldn't engage in any multi-player gaming, but could still play games all by themselves. Is this a global moment of introspection for Sony PlayStation Network members? I bet more than a few parents have wondered if their Sony PS3-obsessed teen might finally pick up a book. Perhaps they'd all emerge from this week away from the network cleansed and truly thanking Sony for the experience.
Not very likely.
The news that vast amounts of data may have been compromised has surely put a pin in this blissed-out-fantasy balloon. I expect Sony PlayStation members are currently feeling confused and a bit concerned. With the network likely down for another week, they'll have time to get good and angry. I think they should.
My guess is that as soon as Sony knew it was fighting a networking intrusion, which was likely some time on Wednesday or Thursday, it knew it might have a customer data problem. Why? Because any network administrator worth his or her salt would have asked the question: Did the attack reach the customer database? Has it been breached and is there any indication that data left our servers and network?
I'm not saying they'd know for sure whether or not any of this happened: Networks and servers are increasingly complex things and during attacks it is often difficult to pinpoint the issue or exactly what's happening during an attack. Even so, Sony must've suspected, and yet it said nothing. Sure, it kept customers up to date on its progress, but did not alert them to the possibility of a data breach until almost a week into the attack. At that point, customer data has likely been passed along to malefactors—data that might include a credit card number, email, and billing address; time in which someone might have been using that information for credit fraud or identity theft. One thing that, remarkably, the hackers did not get is the credit card security code; the three-digit number after your credit card number, and it may be the tiny little last line of defense between you and the data thieves.
Could Sony have done anything to prevent this attack? I don't know. I did think, until yesterday, that it was being fairly transparent about everything and doing all it could to keep customers informed. But with this latest revelation, I'm no longer sure. Sony knows many of its PlayStation Network customers my now face a world of trouble. The only question remaining is what's Sony going to do about it? Oh and there is that other one for the lawyers who are sure to come: What did Sony know and when did they know it?
Get on Lance Ulanoff's RSS Feed.
Follow me on Twitter! http://twitter.com/LanceUlanoff
More Lance Ulanoff:
• Will HP Ever Make a Comeback?
• Ebook Pricing War Wages On
• Microsoft Screws Up Windows 8
• Stalking by Any Other Name is Still Stalking
• Cybersecurity and False Hope
• more