Sony CEO Adamantly Defends Openness On PSN Attack

[Tom Goldman]

Sony CEO Adamantly Defends Openness On PSN Attack

Sony's Howard Stringer snaps back at critics that think the company didn't reveal information about its hacked servers quickly enough.

For more than 3 weeks starting on April 20, Sony was forced to bring the PlayStation Network down (and later customer information [http://www.escapistmagazine.com/news/view/109723-Hackers-Also-Hit-Sony-Online-Stole-12-700-Credit-Cards]. The company has been taking a lot of heat for not mentioning that this data may have been stolen until around a week later, but president and CEO Howard Stringer is having none of it.

Speaking to reporters, Stringer was unapologetic about the timeframe Sony followed in regards to the hacking incident. "This was an unprecedented situation," he said. "Most of these breaches go unreported by companies."

"Forty-three percent notify victims within a month," he added. "We reported in a week. You're telling me my week wasn't fast enough?"

In an interview with the New York Times, Stringer said Sony "reported quickly," and added that the company made security a company-wide focus from "televisions to e-books, and onwards." He revealed that Sony is still in the process of investigating how the attack took place and who may have been responsible.

Sony previously free games [http://www.escapistmagazine.com/news/view/109587-Sony-Claims-It-Told-Users-of-PSN-Info-Breach-Immediately] to make up for the trouble.

I hate to side with the corporation here, but a week doesn't sound like that long a period of time to investigate a server attack and notify customers of its potential (correct me if I'm wrong). In Sony's defense, it could have kept going the "technical difficulties" route but was fairly upfront and honest about what's been going on through this whole process. Sony very well may have been negligent in its security methods, sure, but it was also a victim here to some extent.

The PlayStation Network is now back up [http://www.escapistmagazine.com/news/view/110055-Sony-Restores-the-PlayStation-Network] and running, though the PlayStation Store still has yet to return.

Source: New York Times [http://www.reuters.com/article/2011/05/17/us-sony-hacker-idUSTRE74G41G20110517]

Permalink

 

[Triforceformer]

I'm going with Randy Pitchford on this one and saying we were a bit too harsh on Sony with this.

 

[MrGFunk]

I'm alright with how it was handled. I felt like I was kept in the loop. Probably a lot more than I would be if this happened to other corporations with lower profiles.

When I was informed my card details may have been taken I cancelled and replaced my card. Turns out this was unnecessary but I had no issue and no one I know has either. If anything Sony were too cautious - which I guess when people's money and possible litigation is involved they can't be.

And now I get some games I'll probably enjoy and wouldn't have bought.

 

[Yopaz]

I honestly think they did a good job keeping users updated. I am not a PSN user myself, but I saw news articles about the progress all the time. Honestly, I don't think many companies would handle it this smoothly and keep their users this well updated. Since I never used PSN I guess that might be a reason why I never really got mat at them too.

 

[Fiz_The_Toaster]

I'm fine with how long it too Sony to let us know of its' breach, yeah I'm a little sore with how they handled it, but I felt they kept us in the loop.

I'm going with Randy Pitchford on this one and saying we were a bit too harsh on Sony with this.

I agree. I felt a little ashamed that he had to come out and say this. We were too hard on Sony, and they were a victim in this just as much as we were.

 

[mjc0961]

"Forty-three percent notify victims within a month," he added. "We reported in a week. You're telling me my week wasn't fast enough?"

If it took you a week to find out about it and you reported it as soon as you knew, that's fine. If you knew from day 1 though, no, the week isn't fast enough.

I still don't see we why need this back and forth bullshit though. Aren't multiple governments investigating this whole thing? Can we really not wait for them to say "Okay, here's what we were able to prove in our investigations."?

Seriously, Sony's focus right now should be on everyone's identity theft protection plans they promised. Not on making multiple "WE REPORTED ASAP, PROMISE!" statements.

 

[aesondaandryk]

Seriously, Sony's focus right now should be on everyone's identity theft protection plans they promised. Not on making multiple "WE REPORTED ASAP, PROMISE!" statements.

The reason their making this statement is because of people like you who won't stop talking about it.

 

[Spygon]

Does this sound abit to much like well "other people would have been slower to tell you" type statement dont try and point the finger at other compaines about your lack of reaction time.

I can noot see how as soon as they knew that had a been hack just made a statement like we have been hacked we dont how bad it is but at the worse they could have all your personal data.

In an event like this time isnt on your side always expect the worse.As i am sure alot of people would perfer to be told then make there own minds up on changing there details than waiting a week to realise that there bank account seems to be empty.

Security and safety should always come over public image.

 

[StoryMode]

I think Sony did a great job and more companies should follow its example. Very professional, as always Sony. I'm glad to be a supporter. I don't care to admit fanboyism here... haha

 

[fabiosooner]

"I hate to side with the corporation here"

Corporations are nothing more than a bunch of individuals, and therefore are liable to tell the truth as much as anyone else. Don't hate siding with the corporation. Hate the lies people tell. If Sony's telling the truth, it doesn't matter a single bit if they're a corporation or a bum in the street.

 

[AndyFromMonday]

So what because other companies choose to announce a month later that means you should follow their example? The fact of the matter is, Sony should have reported the theft the moment it happened so people would immediately start monitoring their credit cards.

 

[dnadns]

A week is pretty quick from my work experience and Mr. Stringer is correct that most companies don't even report the intrusion at all if possible to avoid the bad press.
What most people don't see right away is the fact that a "potential breach" looks pretty similar to a simple hardware or software error at first and only during the investigation it becomes apparent that there is more to it. After that, you most likely still don't know what was affected.
Adding the time it takes to get outside help and most likely the need to stay silent so that an ongoing investigation might not be jeopardized, things got public pretty soon.
I can understand that a situation like this is a bad thing and I was annoyed by the downtime and information leak as anyone else, but I can't really blame Sony for their PR work.

 

[Sylveria]

82% of statistics are made up right there on the spot.

Maybe a week is a good time table for admitting there was a breach, I don't know. However, Sony hardly handled this in a stellar fashion. The amount of heat they're under not just from consumers but from various national agencies all over the world shows that their network security was sub-par at best. Being apologetic after the fact and being, allegedly, quick to work on damage control does not remedy the situation. Before the apologists get all hissy, no I'm not expecting hackproof security since that does not exist, but I expect more than non-encrypted plain-text databases with a single failure point.

We were not too hard on Sony and you people being all "oh I'm so sorry I picked on you Mr. Sony" are pathetic. Show some bloody integrity. He could just be talking totally out of his ass in an attempt to do exactly that, make you feel sorry for them. We don't know if a single word from his mouth is true or sincere.

 

[ThrobbingEgo]

Sony's online store shouldn't have been walking around in that neighborhood at night while wearing low cut jeans.

 

[Therumancer]

Well, I still insist that Sony pretty much provoked this attack, and I still want to see them admit they were wrong about the other OS thing and apologize.

As far as their comments about their speed of respone, I personally don't consider "oh well, other companies report things much slower, if at all" to be an excuse, other than to say that perhaps various goverments who were concerned here should spend more time looking into the reporting processes of other companies. Start giving CEOs jail time if they don't immediatly inform customers of attacks, their nature, and the possible risks involved. The big reason for not wanting to do so, largely seems to be so that the companies in question won't look weak, and I think "face" is a big part of this whole thing. It's also why I think we might see more attacks on Sony in the near future, because Sony refuses to concede they were wrong about the "other OS" pull back, restore that functionality, etc... largely because that will show a group of hackers took them down, and also establish precedents away from the whole "it's our property, we're just nice enough to let you use it in exchange for money" definition that they (and other companies) are pushing it. I very much do not see Sony as being victims here. What the hackers/Anonymous have done is not right, but at the same time Sony isn't right either, in fact I might say that I haven't let their current woes detract from how angry I was over the "other OS" thing, despite not using it myself, and actually consider them to be MORE wrong here than the hackers. It's hard to take them seriously as victims when they were victimizing their customer base and brought this upon themselves.

In fact it's this kind of arrogrant justification in saying "we weren't wrong here, because other companies do worse" that is at the root of their problems to begin with.

Or in short, this is all about corperate attitude adjustment, I appreciate the gestures Sony has made to users over the down time, but overall I'm getting tired of them flapping their lips and trying to justify their part in the overall situation. The only thing I want to see their CEOS say is "I'm sorry, we were wrong, we brought this upon ourselves and it trickled down to our users, we'll change our policies and do better in the future". Free games are nice, but since I don't believe it's happened yet, I'd also like them to restore the "Other OS" option to users that use it, but of course for that to be meaninful it has to come with an apology.

 

[poiuppx]

Well, I still insist that Sony pretty much provoked this attack, and I still want to see them admit they were wrong about the other OS thing and apologize.

As far as their comments about their speed of respone, I personally don't consider "oh well, other companies report things much slower, if at all" to be an excuse, other than to say that perhaps various goverments who were concerned here should spend more time looking into the reporting processes of other companies. Start giving CEOs jail time if they don't immediatly inform customers of attacks, their nature, and the possible risks involved. The big reason for not wanting to do so, largely seems to be so that the companies in question won't look weak, and I think "face" is a big part of this whole thing. It's also why I think we might see more attacks on Sony in the near future, because Sony refuses to concede they were wrong about the "other OS" pull back, restore that functionality, etc... largely because that will show a group of hackers took them down, and also establish precedents away from the whole "it's our property, we're just nice enough to let you use it in exchange for money" definition that they (and other companies) are pushing it. I very much do not see Sony as being victims here. What the hackers/Anonymous have done is not right, but at the same time Sony isn't right either, in fact I might say that I haven't let their current woes detract from how angry I was over the "other OS" thing, despite not using it myself, and actually consider them to be MORE wrong here than the hackers. It's hard to take them seriously as victims when they were victimizing their customer base and brought this upon themselves.

In fact it's this kind of arrogrant justification in saying "we weren't wrong here, because other companies do worse" that is at the root of their problems to begin with.

Or in short, this is all about corperate attitude adjustment, I appreciate the gestures Sony has made to users over the down time, but overall I'm getting tired of them flapping their lips and trying to justify their part in the overall situation. The only thing I want to see their CEOS say is "I'm sorry, we were wrong, we brought this upon ourselves and it trickled down to our users, we'll change our policies and do better in the future". Free games are nice, but since I don't believe it's happened yet, I'd also like them to restore the "Other OS" option to users that use it, but of course for that to be meaninful it has to come with an apology.

...you DO realize that a hack like this more or less makes it 100% certain we will never, EVER, see a legal Other OS on a Sony console ever again, right? Between GeoHot and this, the sentiment is likely to be 'screw this, we're never going to even come CLOSE to this can of worms again', with some side comments in the board room about what they'd like to do to these hackers with five minutes in a locked room and a nice sturdy baseball bat. The only corporate attitude adjustment this caused is that they're likely to be fifty times more locked-down with any future creations.

 

[sunburst]

"Forty-three percent notify victims within a month," he added. "We reported in a week. You're telling me my week wasn't fast enough?"

Being better than terrible does not make you great. We haven't been too harsh with Sony. We've just been far too lenient towards everyone else. I know people usually don't care about their information security so I can see why Sony might be shocked now that everybody suddenly does. But this reaction should be normal. Any company taking personal data in exchange for their service must be held accountable for its protection. Taking a week to assess the situation does not fly when it's your customers who are at risk.

Unfortunately, it would seem that public opinion has been swinging back into Sony's favor ever since they began bringing the PSN back online. I guess no one really cared about security after all. They were just upset that they couldn't play their games online for a few weeks.

 

[icame]

Most companies don't report it? So what? Your using something like that as justification to not letting users know that they could be under threat of identity theft for a week? Don't make me laugh. That is the worst excuse I have ever heard in my life. How can this kind of person be running a multibillion dollar corporation? Oh right, the same kind of person that could let this whole fiasco happen.