Posted in General

Can Sony recover?

I don’t know whether to feel sorry for Sony or angry at the company or captivated in a detached-spectator-watching-a-race-car-wreck way.  All three, I suppose.

What we do know is that this is bad in so many ways it’s hard to get a mental handle on it.  I’ve heard it described as probably one of the biggest tech stories of the year, and I don’t doubt it.  Wikipedia had it on the front page, the Wall Street Journal and BBC are reporting on it, it’s just crazy huge.  And now we’ve learned that SOE players aren’t immune to the theft of private info.

Personally, I’m not a Sony guy at all.  I really haven’t been since back in my PS2 days, and except for the rare foray into an SOE title for a trial run, I’ve not been a part of their MMO world.  Still, this news is disturbing on a few levels, mostly because it shows that our information is always vulnerable even in the hands of huge corporations.

I don’t blame Sony for the attack, per se, although the question of their security measures is up in the air.  I do blame them for some of the absolute worst PR I’ve seen in a long time, although from what others have told me, this is kind of standard operating procedure lately.  It’s inexcusable for the company to have dragged its heels for so long after knowing of the attack and just not getting word to the customers as quickly as possible.  Then, yesterday SOE brings down its services with only a brief memo citing a discovered issue, leaving players in the dark for well over 12 hours before saying anything else.

I’m sure Sony’s working like crazy to get everything back up and running, because it’s costing them money and customers the longer it’s down.  They’ve even stated that SOE customers will be compensated for the inconvenience in several ways, including additional game time, so maybe that takes the sting off.

So while I’m sure the company can recover physically and in regards to security, the big question is if Sony can recover consumer trust.  Again, my beef with them is more in regards to the atrocious lack of communication than the attack itself (let’s not forget that the hacker is the main villain here).  Any company that leaves me in the dark about an issue that doesn’t just concern my play time but my private information is a company I will certainly think twice about ever trusting again.

What do you think?  Does Sony have a good chance to get over this or is the company irrevocably tainted?  Are we blowing this situation out of proportion or perhaps not getting riled up enough?

25 thoughts on “Can Sony recover?

  1. I will never play an SOE game again…I am not sure what has been lost data wise…been so long since I have logged in, just not sure whats there.

    Wonder if I really count and wonder if others will feel the same way?

  2. Wait, I’m confused. You’ll trust Sony less with your private information because they took an extra 12 hours to tell you it was lost? What were you going to do with those 12 hours? Change your phone number, move, and file for a legal name change?

    The question of security is a valid one these days, but it’s hardly unique to Sony. Will you ever trust Trion again? Seems their track record of security over time is far worse than Sony’s is right now. CCP’s has also been horrible recently. Blizzard has accounts hacked on a regular basis. Can THEY recover? If you use Amazon, your email was recently released and compromised – same goes for most major banks and retailers, and it took many of them weeks to announce that they were part of the breach. Last year Apple and AT&T has full data breaches that allowed direct access to your email. Why aren’t you asking if any of them can be trusted ever again? Still loving your iPhone?

    Could Sony’s PR have been better? Probably. But that has zero to do with the security side, and deciding that you can’t trust a company’s security because you don’t like their PR is just silly.

    Is this a big story? Of course. There are a multitude of serious questions surrounding privacy and data security in our information-based world, and an equal number of serious discussions to be had about them. This is not one of them.

    And just for the record – I don’t currently play anything SOE puts out. I don’t own a Playstation. I have played SOE games in the past, and registered for some as recently as a few months ago, so it’s likely the data breach includes my data, my wife’s, and her sister’s. So this is not a “not my problem” response, it’s a “Take a look at everything else going on out there, and tell me why Sony is somehow unique.”

  3. I agree with the fact that their public relations on the matter has been less than stellar to say the least, but I think it’s been a matter of, like any big company, they’re telling us what they know when they feel it’s the best time. It’s just never a good time to tell us this. Heck, they’re still finding out more about how big this was and even when they fill us in, people run wild with it saying that there’s been more attacks when there wasn’t.

    I have alot invested in my PS3. With Move controllers, a couple of fight sticks and at least a dozen games, you KNOW I want the thing working again. So, not really from a fanboy perspective, but from a invested consumer (just like I’d be if the 360 was attacked) I can do nothing but wait (already canceled my credit card and recieved my new one), and hope that they’ve learned a lesson from this. They’re moving their data center and will most likely be adding security measures against future attacks.

    Bottom line though: Sony is way too big for them not to recover from this.

  4. This is the Internet. In 6 months people wil have moved on. Some people will beat the horse forever — the same ones who still use the NGE as a touchstone, for crying out loud — but something will catch their eye from Sony, and they’ll forgive.

    Really, voting with our wallets is a great bumper sticker, but that’s ALL it ever turns out to be. There are people who like to stand up and trumpt their principles, and that’s good for them, but there are far more people out there who are either not so self-focused as to announce their intenitions on the Internet, nor are they really so obtuse to not realize that this is a price we all may end up paying when we approach the Internet.

  5. As many have been saying, we have yet to see how much fault lies with Sony’s security practices. I want to see more on that before completely hanging them out to dry. (Although I agree on the communication flubs. I swear companies have the worst communication these days and it is the one thing that they need to have in top form to deal with their customers.)

    This situation is certainly a big deal and one that has the potential to impact the lives and security of many Sony customers. But to say I’ll never use a Sony product/never play an SOE game/etc again? I’m not prepared to go that far based on this incident alone. First I want to see the rest of their response (no, not the free month of game time, I want to see if the take steps to shore up security; even if the theft was not something they could have reasonably prevented, not correcting the problem would be worse than having lax security in the first place).

    I mean, look at this article:
    http://www.pcworld.com/article/226908/sony_hack_caps_recent_string_of_security_horror_shows.html

    I don’t know much about some of the other information leaks mentioned, but is everyone supposed to move out of Texas? stop buying Yankees tickets?

    I hope Sony can recover and learn from this. I hope other companies are able to learn from this as well. Depending on how/why this happened, maybe it could have just as easily been someone else attacked.

  6. Four years after cancelling, I get an email from SOE saying “Come back to EQ2”, and I resubbed about 4/28/11. I was loving the whole experience and everything goes down.

    I’m certainly atypical, most of yall go from game to game to game, but I am more of an invested player and will simply wait for Sony to clean up the mess and let me back in to the only game I want to play right now. And monitor my credit card, and the whole situation, very carefully in the meantime.

    Strangely, despite the reporting of the breach, I may not be affected as I have not received any email from SOE, so keeping my fingers crossed.

    The only time I’ve been hacked was the late ’90s through an insecure Ebay password. It was no big deal to clean up. I’m hoping my personal security can withstand the leak of my credit card, if it even got out.

  7. Can SOE get past this? Probably. They do have a good core of fans that are likely to stay. In 12 months, most people will not even remember this.

    I will continue a subscription habit I started a few years ago but have not always followed through on. Now days, I usually pick up a game time card if I want to play an MMO. I’m less likely now to use my CC at a game company site. I have done this for WoW and WAR in the past. If I decide to continue playing EQ2 (just re-subbed last month), then I’ll also move to using game cards with them as well. Yeah, it might cost me an extra $0.50 to $0.75, but gives me a better piece of mind when this happens again; and it will.

    I will not consider a new game if they do not include this option.

  8. I’m not angry at people stealing my info, I’m mad they make better use of it then I do.

    thieves bought tickets to madrid one time with my credit info, and I was like WTF that sounded awesome.

  9. I’d thought about making more or less this exact same post, but you beat me to it. Ah, well… but man, it’s been a bad year for Sony overall and SOE in particular. Layoffs, a massive DCUO server merge already, the PSN debacle, and now all SOE games offline until who known when. I think they’ll recover, but it’s going to take some doing.

  10. I see some “Never Again SOE!” from people who were already in no danger of subbing to an SOE product based on past comments. One more stick to use to vent their hate. Not that Sony hasn’t done more than their share to earn that enmity, but you can’t raise your hand to be counted again if you’ve already said no.

    Will SOE specifically, and not Sony in general, recover? That depends a lot on how this plays out.

    They have already shown themselves to be more responsive that their corporate overlords at SCEA. Did we know anything like this amount of detail even 72 hours into the PSN debacle? SOE is far more rooted in American business and culture than SCEA.

    SOE’s business is online games. If this outage runs two weeks, the long term players, the core supporters will return.

    But those not so invested might just fade away. EQ2X is packed with players who are new to the game. It is clearly successful. But will those players come back after an extended outage?

    Our own regular Saturday night group just jumped into EQ2X a couple of weeks back. Two of us are totally into it, but the rest are on the fence. A long outage could push us to find another game, and that would likely keep us from returning for a long time, if ever.

    This could end up as a big enough hit that SCEA uses it as an excuse to take over SOE entirely. Having been a software guy at a hardware company in the past, that would turn SOE and most of their games into a memory.

    If they lose three weekends of play time because of this, my guess is that SOE will be fully absorbed SCEA within a year, at which point the game lineup will be reduced to DCUO, FreeRealms, and *maybe* EQ2/X. Everything else will be cut.

  11. Wlhelm nails it from the player viewpoint.

    Financially though, can Sony recover? Almost certainly, but it is going to cost them. Both in indirect costs as some people cancel accounts and in direct costs for lawsuits, credit monitoring and credit card replacements. There are various numbers floating around the Internet about how much a data breach costs. Some estimates run as high as $200 per record. With Sony’s total now at 100M records that’s a potential $20 BILLION dollar hit.

    SOE is probably in worse shape. My understanding is that many of the titles were just hanging on anyway. Could SOE handle a potential loss of $5 billion? I doubt it. In fact even a tenth of that is likely to be fatal.

    @Buhallin

    Sony’s breach is an order of magnitude worse than either Trion’s or Blizzard’s account hacking. Imagine if every single Blizzard account were hacked at the same time. This is worse. A lot worse.

    Mike.

  12. @Mike: I’m not arguing that the outcome isn’t worse – it certainly is. But is it really any worse of a failing?

    If we even go just to EQ, Sony’s been running MMOs for a decade without serious security failings. Trion managed less than a month. Blizzard has a decent number of things in place now to help protect accounts, but how long did they leave things open because it wasn’t worth it to them financially?

    My point is that Syp, and other “I won’t trust Sony again” people are making a judgment based on flawed metrics. The impact of the SOE breach is orders of magnitude higher than the recent Trion or CCP breaches, but was their FAILING any worse?

    The Trion and CCP forum debacles are serious, hardcore failings of the most basic software security practices, but they had relatively small impact. We don’t know for sure yet how the attackers gained access to Sony, but with a breach of this scale it wasn’t a bored EQ player who’d always wanted to play script kiddie. So CCP and Trion fail on a basic level with small impact, and it’s not a big deal. SOE falls to what looks like a coordinated attack by a highly-skilled attacker, and we should never trust them because the attacker hit it big.

    I’ll offer an analogy to make my point, although I truly hope we don’t get wrapped around the analogy, and yes it’s exaggerated to make the point… Say you have two drivers – one a decent driver minding his own business, the other so drunk he can hardly stand up. The attentive driver gets rear-ended by someone road raging, and is in a horrible accident. The drunk guy bumps a phone pole pulling out.

    Which do you trust to drive more? If we use Syp’s standard, we trust the drunk – because the visible impact of his accident is smaller.

    My point is simply this: The large nature of the breach doesn’t actually tell us much of anything about Sony’s security practices. If you’re going to make a judgment on whether to trust Sony in the future, THAT should be the basis for that decision, not how many people lost their data.

  13. Buhallin — Their failing was worse from a customer relations standpoint, which is important whether you’re dismissive of it or not. When Trion had issues, it got on top of it, it kept communication open with the customers, and it laid out how they were going to fix it. Sony’s approach was a wall of silence, delay and vague details that compounded the situation when the magnitude of the problem was revealed. It certainly makes them less trustworthy, because people judge companies not just on their track record, but how they respond to mistakes and crises.

    As for their security, I said “I don’t blame Sony for the attack, per se, although the question of their security measures is up in the air.” It’s up in the air. I agree that we don’t have the information necessary for a judgment on whether their security was weak or whether the hacker was just talented and/or lucky.

    But over all of this, you’re ignoring the entire question of my post, which is how and if Sony can recover from this.

  14. As a public, we have no lasting care for our private data. We’ll throw a fit, and move on. Gamers are worse – get the games back up, and this thing will go away.

    I still think it’s dumb to trust a company’s security based on the skill of their PR department, though. Trion being good about telling you that someone else found the problem for them doesn’t make their software any more secure. I also think you give them too much credit – their security issue was an easy PR fix… Someone found the problem and reported it to them without exploiting it, and they were able to pretty much fix it before they ever had to say anything at all. Let it sit quietly exploited by gold sellers and hackers for six months before it gets discovered and see how open they are.

  15. @Buhallin,

    You are so naive it’s funny.

    Trion’s problem was an authentication problem that allowed access to INDIVIDUAL ACCOUNTS without the proper password (LDAP Bug probably). [and Wow was a similar individual account compromise]

    SOE problem is complete data center compromise in an intimate way. That is they were hacked for a long long time. So long that not only did the hacker gain access to MILLIONS OF ACCOUNTS but so far Sony has been unable to confirm that all the hacker’s backdoors, root kits, and trojans have been verifiably removed to ensure that the hackers cannot get back in.

    THIS IS WHY they shut down their servers to get physical control of their servers for complete scrubs.

    To date neither Trion or Blizzard has been completely PWNED like this. In fact this data breach ranks right up there with the TJMaxx data breach in it’s persistence.

    Have fun with your preconceptions about “data privacy” or what you believe is real. You appear to be very unsophisticated on these matters and I suggest reading up before posting further.

    http://www.informationweek.com/news/198701100
    http://en.wikipedia.org/wiki/Operation_Aurora
    http://www.infoworld.com/d/security-central/pentagon-shuts-down-systems-after-cyberattack-845

  16. Syp,

    To answer your question. No SOE will NOT recover.

    In fact I would be surprised if SOE continues to operate the same way in the near future. Radical thoughts like “going free” so we don’t have credit card information that could get Sony sued within an inch of it’s yen would all be on the table.

    In the TJMaxx incident (where nearly this many CC accounts were compromised) TJMaxx was sued by the Banks who were exposed to losses. I see this kind of thing happening again but with a twist due to PCI DSS (http://en.wikipedia.org/wiki/PCI_DSS) Sony now has to re-certify all their systems.

    Frankly this “could” cost more than Sony might be able to make in revenue going forward… So they might pull the plug. [Really yes they might, Japanese companies are like this when company reputations are on the line].

    AND No you are not blowing this out of proportion… Sony has a VERY VERY big problem and the shutdowns proved they don’t have this locked down yet. Online services have a shelf life of days when they go down hard. Sony won’t have an online asset in a few days if they don’t positively fix this… while most likely fighting a running battle with a sophisticated hacker group for control of their systems.

  17. And the latest…

    Robert Cringely has a post out about this…
    http://www.cringely.com/2011/05/til-death-do-us-part-sony-and-the-credit-card-companies/

    His take is that Sony will outsource the security of the 100 million accounts. So as usual Angry is right (Sony will be out of CC biz) but wrong about how (Sony will outsource..).

    It’s a good take from a top notch futurist who knows his stuff.

    In any event expect BIG BIG shakeups at SOE and probably closing of wholesale offerings (EQ I or II?)

    Ultimately this is NOT the business Sony wants to be in right now. And with Ohga just dying there will be changes… count on it. (http://en.wikipedia.org/wiki/Norio_Ohga)

  18. Uh right. Sony is going to pull the plug on not only its SOE games…but the entire PS Network including untold legions of CoD fanboys and the like.

  19. Well, I have to say that I have enjoyed the comments and people have made some interesting points all the way around.

    I think it boils down to a few things…

    Will SOE release all their information to the public and if so in what form? I think a simple timeline of when things happened, when they were discovered, and how they were handled is certainly in order. With explanations if it is not easily understandable.

    How they gained access to their database. That information should come forth, as well as, how they are protecting our information now.

    Until this happens or does not happen… I agree with other posters.. the jury should be out. After all, it was a hacker who did this (interntionally or was lucky is still unkown)and even though I have had my fair share of issues with SOE.. I cant make blind comments one way or the other until all the information is in.

    However, Wilhelm Arctrus does bring in very valid points as to possible outcomes.. I shudder to think what will happen if SOE loses control and SCEA does take control. SCEA is not going to understand the player base and will make poor decisions just based on numbers and their perceptions … I think the devil you know is always better than the devil you dont know. Just a thought.

    Everyone makes mistakes. Why cant we just assume that SOE did its best till we have the information to judge? If the information does not come out… then we can say.. THEY SCREWED UP…. BLAH BLAH BLAH

  20. Wow, Angry, u mad?

    Sorry, couldn’t resist.

    Please save the personal insults – I work in the field. I have a decent understanding of security, and you’re so busy frothing at the mouth you’re ignoring my point and making exactly the same mistake I’ve been pointing out.

    The impact of Sony’s breach is huge, and it’s bad, but that says nothing about how tight or effective their security was. I consider Trion’s lapse to be pretty much rank incompetence – yes, it only allowed access to single accounts at a time, but it was a serious oversight in basic design. CCP’s recent forum fiasco is another example of the same.

    You cannot judge the competence of a company’s security practice by how bad the breach is. Big breach doesn’t necessarily mean bad security.

    Your overblown comparisons are wrong on so many levels it’s not funny. The TJMaxx breach hit over 45 million credit cards – Sony’s pegged the current number at 12K, all of which are likely expired at this point. More may be at risk (10 million) but you’re jumping to assume they were compromised, which has yet to be seen. By most accounts TJMaxx’s security was also incredibly bad, and remained bad after the breach, which opens them to liability. And while you’re obviously ready to assume Sony was hosting guided tours with the admins handing out informational packets of passwords and access points, we don’t actually know any of that yet.

    Not that actual information will have anything to do with the gaming community’s reaction, as you so aptly prove. I’m not sure what the fallout of this will be in the long run, but I am quite sure you’re a clueless wannabe who really should just stick to watching Hackers.

  21. And you know what, Angry, I’ll add ‘dishonest’ to ‘clueless’

    I go through phases of reading Cringely, and since you linked I decided to catch up. If you’re going to link a post to a top-notch futurist, you should probably look at his previous post, which can best be summed up as “Nothing will happen to Sony over this.” He doesn’t have a kind analysis of Sony and their security, but he’s pretty much at direct odds with your thesis.

    So… Do we trust Cringely or not?

    http://www.cringely.com/2011/04/sony-may-be-clueless-in-psn-hack/

  22. I’ve been thinking about this as well as a Sony customer. I haven’t even checked to see if PSN is back up. I’ve given up on it. When it happened, I checked my email and found I was notified immediately and checked all my personal information to see if anything looked suspicious, such as payment for a boobjob or something else that would be really weird for me to get (as guy for instance).

    I think Sony will eventually recover, but they just got kicked in the nads and will be on the ground for a long time. They need to provide more security layers that other games have incorporated and also consider hiring a brand new team of top men to monitor and protect our info and gain back our trust. Personally , I will probably only throw a fit and walk away from sony if my info is messed with, otherwise I really don’t need be mad. No harm done, although it will make me wary in the future.

  23. I will now qualify that things aren’t looking good for Sony. A great deal of the commentary is starting to swing towards “incompetent security” although we’re still missing a lot of the details as to whether the hole being reported is what was used to gain access.

  24. Its just funny. I bought an EQ2 box that has the games installer and 30 days subscribtion to see if i woudl get into it. The day this hapened without knowing. Before i got the errormessage telling me about connection timeout, i recieved a message that said that my 30 days, is actually 14 days, and i can forget what stood on the box. Bad start, but hey, i allready buyed it, there is no return policy, may try it anyway, and if the game was good, i might forgive it (unlikely).

    Then it refused to run. Going online, looking for answer. Ah the service is down, crap. Well thats it people, I uninstalled it, and i accepted that i basicly thrown money out of the window.

    This kinda reminds me of buying my Sony Viao latopt, the one that came with crapvare infested vista, dumbed down bios that doesnt lets you turn of the sata harddrive accelereation, and sony doesnt gives out xp compatible drivers for it. (Nvidia cant, because they have a contract with sony that forbids them) It was a pain in the ass to isntall XP (I didnt buy a laptop with 2 gigs of ram so Vista eats it all up), and even worst to get working drivers, and updates for them.

    To put it short, thank you sony. You have fully convinced me to avoid your brand name like the plague. Never again, will i buy anything that has sony standing on it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s