/ Technology

Why did Sony wait so long to admit to PSN data leak?

5
Man playing video game
Profile photo of Jack Turner Jack Turner Researcher, Which? Tech
Comments 5

Sony’s Playstation Network has been offline for over a week, leaving users confused about what’s going on. So why did it take a whole week to hear that personal information – including bank details – may be missing?

How do I know when a gaming story has become ‘big news?’. Not when it appears on the BBC homepage, or gets mentioned on the News at Ten. No, I know when a story has really broken when my Mum mentions it.

So it was this morning when I received a text from her, asking if my credit card details were safe, and I knew that Sony were going to face a big PR battle with their handling of the PlayStation Network (PSN) data breach.

Sony PSN gets hacked

For those who aren’t aware, Sony’s PSN, an online store used for purchasing and playing games, as well as films and other services, has been offline for over a week. The reason, as revealed yesterday, was that the service had been hacked into, and the personal details of its 77 million users taken.

The first I knew about the service going down was when I tried to play Portal 2 and got an “error 80710a06” message.

Portal 2 is a huge release for 2011, launched a few days before the PSN outage. It allows PS3 players to play live with PC gamers, and is a ‘big deal’. The excitement around the release has been immense… and wholly tarnished by the PSN debacle.

As a user of the service myself, the question I want answered is, why did it take Sony so long to confirm that security had been breached? Users had to wait a week before they confirmed that personal and financial details were at risk. Surely we could have been told sooner?

What’s happened to our personal details?

It’s no secret that a lot of people use the same passwords for various sites online. For these people, the breach of their PSN account also puts their whole online experience at risk.

Email, Facebook, shopping and banking accounts are all vulnerable to abuse from anyone who gets hold of their PSN details. Naturally it’s best practise to have unique passwords for all sites, but there are still lots of people out there who prefer the simplicity of one password rather than the security of many.

On top of this, and perhaps more worryingly, Sony have stated that credit card information may also have been taken. This has not been verified yet, but it is a very real possibility.

Had Sony done the decent thing and actually warned their customers sooner, we could have all taken action, be it making sure our passwords were changed, or being more vigilant of our credit card bills. Anyone who may have illegally got hold of our details was essentially given a week head start on us.

Why didn’t Sony tell us sooner?

They had already confirmed that the PSN service was down due to ‘external intrusion’ on the 19th of April, although they say that a data leak was not confirmed until the 26th.

Surely they should have advised us that there was a chance our details may have been compromised the moment their servers were hit. Wouldn’t we rather know early on that there was a chance of our personal details being exposed, rather than wait for it to be confirmed?

Perhaps Sony felt that the threat wasn’t a real concern, or maybe they didn’t want to overshadow the announcement of their latest tablets. They probably had their fingers and toes crossed that the issue wouldn’t become a huge PR nightmare. Too late.

I have already decided that I will remove my card details from the PSN the moment it is back up, and I am sure I’m not alone. Like a lot of people, video games are a massive source of entertainment for me, and I could do without the threat of identity or credit card theft hanging over me whilst I’m playing Portal 2.

Comments
5
Russ says:
27 April 2011

Personally, i’m not surprised it took them so long to determine exactly what data was at risk. We’ve seen this before with other DDOS based attacks on high profile systems and websites and it’s not instantly recognisable that the issue could be a breach of personal information.

On a side note, I think it’s more worrying that the store and user details are so close, but they haven’t disclosed their architecture so we don’t know if that’s really the case.

Would you rather have a world of scaremongering (which is now what is happening SINCE they announced the potential breaches) ahead of time? Who in their right mind DOESN’T already keep an eye on their transactional history (especially on something like a credit card account). As for people having the same passwords.. well that’s just stupid and irrelevant to the discussion. If people are dumb enough to have weak and/or matching passwords on multiple sites then more fool them.

I’d rather have my teams focusing on the work and not the PR backlash.

0
Vote up  |  Vote down   Reply    Report
Share   
xVIDAx says:
27 April 2011

Go visit PS Blog for the answer, thanks, get your facts straight.

0
Vote up  |  Vote down   Reply    Report
Share   
Gama says:
27 April 2011

This is the reason Sony gave yesterday, though you’re probly aware of it:

“I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today.”

“There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.”

I still think like you that they shouldv told us earlier of a potential breech, but the question you asked was answered… maybe you shudv had the balls to say they ‘SHOULD’ have admitted earlier then your article may have gone somewhere.

0
Vote up  |  Vote down   Reply    Report
Share   
Adam says:
16 May 2011

So PSN is back, kinda… online play is back at least. But I’m a little concerned.

I’m not a big online player to be honest, so my friends list was limited to people I knew in Real Life – family and friends mostly – plus two people I’d met in Little Big Planet. I never received an unsolicited friends request – ever.

So last night I did the software update, reset my password etc. and then spent a couple of hours playing a simple, offline game then watching a couple of programmes on the 4OD player. In that time, I received two unknown, unsolicited friends requests.

Now it’s only a minor annoyance, but this was within a few hours of PSN being back, so my concern is, am I going to get spammed endlessly once everyone gets back on line?

I could delete my account and set it up again… but the kids will be upset that their efforts in earning Trophies would be lost.

Is anyone else getting more unsolicited friends requests now? Did people get them before anyway, and I was just lucky?

0
Vote up  |  Vote down   Reply    Report
Share   
Stephen Hicks says:
2 June 2011

I know next to nothing about PSN; i do know that Sony are pretty hopeless when it comes to sorting out problems with their products.

For example, Sony Bravias TV’s have had a glitch with receiving BBC HD since March 2011. It took until May 2011 for them to even admit there was a problem, and then only because What Hifi picked up the problem. (I did tell Which? about this but they seem to prefer recommending Sony TV’s, not following up problems with them).

0
Vote up  |  Vote down   Reply    Report
Share   
 

Related discussions