The details of the breach itself have been reported extensively, but to summarize, a hacker (or group of hackers) accessed encrypted areas of the Playstation Network and through this gained access to a plethora of private customer information. The belief is that the majority of the information compromised is usernames, passwords, address and personal information stored on the network. There is no direct evidence that credit card information was taken, however in keeping with the spirit of “better safe than sorry”, it must be assumed that one area being hacked means the entire system is vulnerable and credit card information could have been harvested by these hackers. This has sent PSN users into a panic and I have no doubt that credit card companies have experienced an influx of calls from people asking to change their credit card information. This is a wise cautionary move and it’s always better to err on the side of caution in these cases. Having said that, it’s important to understand that information being compromised is not the same as information being stolen or used for criminal purposes. With 77 million users worldwide, you are a drop in the ocean and it would be impossible for a hacker to even use a fraction of the information obtained to steal money, so you have a better chance of dying in a plane crash while holding a winning lottery ticket than you would being a victim of fraud in this breach. In the very unlikely event that your information is used fraudulently, credit card companies and banks have fraud liability clauses that protect you from incurring a loss, so you are protected even if the worst case scenario does come to fruition.
To say that Sony has taken heat for this breach is an understatement. Any kind of data breach erodes consumer confidence, but this being one of the largest companies in the world and then number of users being affected definitely puts the potential losses for Sony into the billions of dollars. In my own interactions with others online, the reaction has been hostile, with people declaring that they will never buy another Sony product again and that they will sell their PS3 consoles and go with the competition. I assume much of this is said out of anger, but it does show that people take this very seriously and Sony definitely cannot afford to allow this to happen again. We will no doubt see beefed up security when the PSN goes back online and Sony’s PR machine will kick into overdrive in an effort to make amends with consumers. There will be lawsuits, broken consumer confidence and some grumbling from people, but the dust will settle and people will move on. Let us not forget that Microsoft took a huge hit with the Xbox 360 and one of the largest product recalls in history because of the “Red Ring of Death” debacle, which also resulted in lawsuits. Added to which, there was an outage on Xbox Live that lasted for 11 days in 2007, which is harder to swallow given that this is a paid service. If anything, this shows that consumers are very forgiving and have short memories, so I see the negative fallout from this being fairly short term.
People have also given Sony flack for taking a week to inform people that their personal data has been compromised, and I was initially taken aback by this as well. However, I have a good friend who works in fraud restoration and investigations, dealing extensively with data breaches, and he actually said that this is faster than the norm. When a breach happens, there needs to be an internal investigation, law enforcement and outside security firms need to get involved and the exact extent of the information breached needs to be determined before consumers are made aware of it. This process often takes one to two months on the low end, while in some cases people haven’t been notified until six months after the fact. This seems like a long time, but informing people prematurely runs the risk of not informing them completely or pushing the panic button needlessly. Also, when law enforcement is involved, saying too much too soon can compromise the investigation. To the average consumer, this means very little when their own personal information is on the line, however there are behind-the-scenes aspects that also need to be considered.
At the end of the day, it’s important to understand that privacy breaches happen. It’s a reality of the age we live in and this is definitely not the last of its kind we’ll see. If anything, the PSN breach has prompted us to take steps to protect our sensitive information that we should have been doing all along, like not allowing our credit card numbers to be stored online. I’m guilty of this as well, so I have since removed my credit card numbers from all sites I have business dealings with and I will use point cards for Xbox Live and the Playstation Network moving forward, and if I need to use credit cards online, they will be for ad hoc purchases and I will not allow my number to be stored. The less of you that is online, the less likely you are to be a victim. But what I urge people is be cautious and make necessary changes in light of this breach, but don’t panic or jump on the “Boycott Sony” bandwagon. The system is currently down and I hope it stays down until the security holes are fixed, but life goes on and the breach doesn’t negate the 10 years I have been gaming on Sony consoles. I still love my Playstation 3 and the many great games I own for it, so the wounds will heal and the sun will rise another day.