I stole that headline from Michael French on Twitter, so blame MCV if you didn’t like it.
The worse PR disaster for the industry up until this point has probably been the Xbox red ring of death debacle. Years of silence from Microsoft and then the admission that odds are your 360 was going to break so warranties were extended to cover those machines for a bit longer, a large amount of cash was mentioned to cover the costs, and Microsoft turned a corner. It’s taken them years but they’ve gone from saying nothing to having a pretty good relationship with their users. They have a twitter account that pounces on anybody mentioning a support issue and have several quite publically visible staff members who blog, tweet and podcast. Interestingly this includes their Director of Policy and Enforcement (more on him later).
Microsoft learnt this lesson the hard way when the publicity of not being more open threatened to devastate their business and although they’ve still got a long way to go, now when the service goes down there’s a tweet and blog post from somebody very quickly saying what’s going on, or at least we don’t know what’s going on. More importantly they reply to people who ask as well so give an impression of being open.
Compare this to Sony as the new biggest ever PR disaster for the industry unfolds. On the 19th of April Sony discovered that there had been an intrusion into the PlayStation Network from an unauthorised 3rd party, which is a nice way of saying they got hacked. They took the PSN down on the 20th and a week of small updates that said nothing of any weight beyond admitting that they thought it was hacked on Friday and that they were rebuilding their service. These were basically daily “no comment” posts that were the total output of the Sony PR machine for that week. Finally we got an update confirming one of the worse possible outcomes: Your user data has been stolen and maybe your credit card data too, but they can’t tell.
I don’t know about the rest of the world, but it’s front page headlines here with some of the papers. The data they have definitely got is valuable enough for identity theft, including what amazingly seems like the plain text version of your password that Sony REALLY shouldn’t have stored. The data they can’t tell if they got is even worse as it’s credit card information. It’s being called the biggest hack of identity information ever and I’m struggling to think of any larger ones. Do you use the same password as the PSN between multiple sites? Consider that public knowledge now and the email address that you’ve got on file with Sony is most likely the first port of call for anyone trying that password. For an example of what this means at just one end of the possibilities I mention Microsoft again as their top enforcement guy had his Xbox account hijacked earlier this month. They just needed access to his email account to reset the password on his account and gain control. They achieved this through social engineering of an ISP after he mentioned that he had changed the email associated with it from Hotmail to his own hosted domain. How many sites/services do people have registered to the same email address as their PSN account and share a password between the two? Even if the password is different for everything else a bit of digging and they are able to change the passwords on these other sites with ease after dealing with the insanely insecure “mothers maiden name” type questions that can usually be gotten around anyway.
There has been a lot of talk over the last few months over the security of the PlayStation and the PS3 has been physically hacked and it’s tempting to link the two. The communications between your PS3 and the PSN have been well documented as the hackers tried to regain communications with the server after each time that Sony shut them out and so there is a lot of chatter on the dodgier sites talking about the issue that the security was pretty dismal to start with. Did you know that every time you connect to the PSN it sends your credit card details (including the 3 digit security code) protected behind an HTTPS connection, even if you don’t buy anything that session? That’s what these sites are saying. I’ll not link to them because of their less than reputable nature, but a quick search should take you there. However, I don’t believe that this is behind the hack and it was most likely achieved through getting the username and password of somebody who did have legitimate access through social engineering or a Trojan. Most likely this is totally unconnected to the hacking PR nightmare that Sony has already had this year, and Anonymous probably aren’t behind this either.
Hopefully this will be a positive moment for Sony in the long run, just as the red ring of death turned out to be for Microsoft as they wake up to the fact that they are in the internet age now and need better communications and community management. They desperately need it at the moment as their main points of contact on Twitter, for example, are the accounts for the blogs where they released the status updates for the downtime (fair enough) and comedy marketing character Kevin Butler. They need real people with real faces and a real dialogue, and they needed them last Tuesday. Or March 31st last year when the PSN crashed because of a bad leap year calculation and most games were unplayable for a whole day. Or when they were fighting the hackers trying to break into the PS3. Or… Well, you get the drift.
It’s sad to see the PlayStation name dragged through the press with such negative publicity but, like Microsoft before them, they just haven’t moved on with the times. I’ve been pretty critical of Sony over the last few years over their attitude and this isn’t helping as they keep making the same mistakes over and over again. Being hacked is the small part of this issue, the reputation problems are going to persist for a long time. Sony need to do something to help restore trust, but they are stuck in the old ways and aren’t going to realise that (probably) just giving us all a free game isn’t going to cut it. It probably won’t even occur to them that better communications is what they really need in the long term, not token financial compensation.
9 comments
2 pings
Yellowdancer
April 27, 2011 at 12:37 pm (UTC 0)
No idea if this is valid but someone posted this in the massively comment threads….
“…The PS3 was hacked pretty quickly too, the problem was Sony continually releasing firmware updates to counter hacks. Each security change should lead to a full security check before release, something they very rarely do because it’s freaking time consuming. The PSN security network has to be kept up to date with the changes. What happened here is that with the last firmware update by sony, some code was found that allowed a console to be turned into dev mode and give access to the dev network on the PSN and thus allowed people to get rights they shouldn’t have gotten….”
It kinda fits a rumor. I heard this all blew up when Sony found people downloading games and not being charge. But since Sony never tells their customers anything, we’ll never know.
Jon Shute
April 27, 2011 at 1:26 pm (UTC 0)
I’m not sure that fits with what Sony have admitted to any more. It looked plausible until the announcements yesterday, but it doesn’t really fit with it being a mass theft of data.
Of course a few more details from Sony would stop all this speculation…
Akely
April 27, 2011 at 2:06 pm (UTC 0)
the fact that Sony waited several days before notifying their customers that theire credit card data might be stole would make me sell mmy PS3 if I had one. I mean… wtf?
I do not do much Sony stuff, but now I’m worried about their security as a whole. What about my credit card data from the EQ2 sub I had? Or the one the Mrs still have? I mean… it is the same company, sort of… Right?
Sony have a habit from going from bad, to worse. I wonder when they will stop doing that.
Jon Shute
April 27, 2011 at 2:10 pm (UTC 0)
It should be noted that they haven’t in fact sent out the email notification to their customers that they said they would. If you don’t watch the news you have no idea it’s happened…
Akely
April 27, 2011 at 5:27 pm (UTC 0)
Just realized that when @shuttler tweeted that. I have no words. I used to be a press/info guy and one thing we always tried to do was to be pro-active. “Bad news about us should ALWAYS be told by us.” First you get a little control about how the thing is presented, second you can explain without getting questions put to you in a no-win way, but most importantly: much of the press have the “report it first or just rehash” mentality.
Sony is… wow… Epic fail.
Yellowdancer
April 27, 2011 at 6:47 pm (UTC 0)
Well, SOE is known for their great communication….
I posted in the accounts forum of DCUO asking if our accounts were hacked into. I was told that the accounts forum is not the place I should ask this question. I should ask in the General forum with all the posts complaining about low population, broken powers and cries for server merges.
Massively came to the rescue…Buried in SOE’s generic forums they said they’re still investigating but they believe SOE accounts were safe…There is a link in the recent SOE massively article.
Of course once PSN is back up they could come back and say SOE account info was stolen also. No need to lose 2 revenue streams at the same time.
BTW, I took back my PS3 Portal 2 and bought an X-box one.
XirYug
April 28, 2011 at 7:39 am (UTC 0)
I’ve not had an email yet but I’ve heard of a people in the UK that have. Its pretty poor that Sony haven’t officially told many of their customers still via email that they might have had their account details stolen….but then its pretty hard to miss in the media at the moment.
The only thing I think might be in favour to people affected is the sheer numbers of accounts. – 77 million is a massive amount of people and data.
Even 77 million rows of data (I am sure Sony are not that CRAP to put it all in one table) would take some time to gather and download (surely Sony have some sort of auditing in place ?)…..and then when you have 77 Million people’s data the chances of each one being used is pretty unlikely.
Just a complete guess here but you might be looking at 50,000 people’s data being used….which is probably less than 0.1% of the total data.
Van Hemlock
April 28, 2011 at 8:57 am (UTC 0)
Never had a PS3 or PSN Account, but I do have to wonder about the various and comprehensive SOE Station Account details I’ve liberally furnished them with. Troubling times.
Dr_Toerag
April 28, 2011 at 6:42 pm (UTC 0)
This news, like the old Warhammer Online Direct Debit Disaster (WHODDD, as it wasn’t ever known until now) makes me scared. I’m shocked by how much many of us trust great, monolithic empires of gaming that have the capacity to f**k up worse than we could on our worst day.
I’ll take my drubbings like a man, and won’t complain if the screw up was MY fault. It’s less easy to suffer these slings and arrows when the fault is someone else’s.
Someone else’s and they SHOULD HAVE KNOWN BETTER!!
PlayStation Network – Hacked Before I Could Enter My Credit Card « The Ancient Gaming Noob
April 27, 2011 at 7:40 pm (UTC 0)
[...] As noted elsewhere, It is better to be safe than Sony. [...]
Crisis Management Lessons from Sony’s PR Fukushima « Ronnie Simpson's Blog
May 10, 2011 at 10:17 am (UTC 0)
[...] Shute in his Consoling Gamers (www.consoling.tv) posting ‘It’s better to be safe than Sony’ sums it up well: “Being hacked is the small part of this issue… Sony need to do something to [...]