Gaming Nexus debate: The PSN Data Breach

Gaming Nexus debate: The PSN Data Breach

Written by Jeremy Duff on 5/4/2011 for PS3   PSP  

 When 2011 draws to a close, and the industry looks back, the great PlayStation Network outage / data breach will undoubtedly be one of the top stories of the year. The amount of attention that this story has received over the past couple of weeks is unprecedented in terms of an industry event (gaming). The debacle has managed to break out of confines of our little gaming world and land on the radar of not only the mainstream news and media, but also numerous government agencies and departments including the Department of Homeland Security and Canada’s Privacy Commissioner.

Even though the facts regarding the data breach and its effects are just now making their way to the public, everyone seems to have an opinion on the events that have transpired. This past weekend, I decided to reach out to the rest of the Gaming Nexus staff and see just how they felt about Sony’s ordeal and how the situation had been handled. Just as I found in surfing the Internet in recent weeks, the opinions of our own staff covered a wide range of perspectives from optimism and forgiveness to outrage and cynicism. It is important to note that these views were all expressed prior to Sony’s official press conference and Q&A sessions held on the subject on Sunday in Japan. The press conference, which Dan reported on early Monday morning, outlined the events that had transpired and Sony's plans to restore services over the course of the coming weeks.


So, just how does the staff of Gaming Nexus feel about PSN-gate 2011? Let’s find out.


Do you agree with the manner in which Sony has handled the security breach re: PSN?

The Naysayers...
Ben Berry: The problem here is that this isn't just your credit card number being stolen, which today is not only all too common, but usually fully reimbursable by your card company. Rather, it included your address and other private details. We simply have no idea whose hands this list will end up in.
The Pendulous...
Tina Amini: I'm conflicted here. On the one hand, as a consumer who is potentially at risk for the worst (i.e. identity theft), I'm distraught that Sony held out giving any information earlier. I would have changed my passwords and monitored my credit cards much earlier on. On the other hand, I understand that Sony is a business and their first and foremost concern is maintaining their status. That's not to say that this excuses them, nor that a business' main priority should be themselves when they obviously have a responsibility to their consumers, but I can see the reasons for why they withheld the information. I do, however, find it strikingly odd that they consistently warn users about protection of their accounts and lo and behold they cannot control their own security. One of their main "selling points" has ultimately turned into their destruction. That's ironic to say the least.

Matt Mirkovich: I don't agree with how Sony handled the situation, but I think they have done the best that could with what they had to work with. Although instead of just shutting off PSN and then saying nothing, they could have at least said, "We've been attacked, we're shutting down PSN, when we have the data pertinent to our users then we will notify them." Instead users got silence. I certainly would like to have known what had happened after I spent 40 dollars on PSN cards so I could pick up Arcana Heart 3 and was met with networking errors.


The Optimists...
Shawn Sines: Since I spend my normal life working in Information Security, I actually think the response here was reasonable. People are too used to the Hollywood and CSI investigation concepts - digital forensics and information security investigations take time, and often you can
make errors or mistakes if you report before you have all the facts in evidence, or at least understand the root cause and extend of a security incident.

Charles Husemann: It's been mostly good but a bit more transparency from the start would have been appreciated.

Jeremy Duff: I am not sure that they could have handled any better than they have. I have had the unfortunate experience of having someone “obtain” the credentials to my bank account / credit card and clear me out and the business involved with that ordeal wasn’t anywhere near as open and helpful as Sony appears to be / has been in this scenario. Many people are bothered by the timeline of details, or when they were given out, but I think Sony handled it adequately and appropriately.

Russell Archey: Except for how long it took them to tell us why the PSN was down for so long, it's been pretty good.

John Yan: Yes, I think they handled it the best they can. You always want to get all the information or as much as you can and they did what was pretty much, I think standard. You don't want to put information out there you don't know and you don't want to throw out misinformation just to get something out there. I'm sure they went through all this with their lawyers and such so I have no problems with how they handled it.
What sort of things would you like to see (or have seen) handled differently?

The Haters...
Tina Amini: Sony is a bit uptight, and stubborn. It doesn't seem that they really sympathize with the situation. Rather, their response indicates a tone of "well, this is an unfortunate incident but we're doing everything we can do." There are arguments that there was plenty more that Sony could have done. For instance - and, for the record, I do not know the validity of this point - there are assumptions that Sony did not even encrypt the personal information that was attained. They allegedly left all of it in plain text. Way to make a hacker's job more accessible. Even when considering the Hotz debacle, Sony has always felt entitled in their position rather than basing decisions off of what the right thing is to do. Their recent business decisions leave them looking greedy. The industry and gamer community has always appreciated a company that has good customer service and a humane outlook on handling their business. Look at Valve. Everything from Gabe Newell's timely email responses to fans to his decision to keep Erik Wolpaw on staff after a disconcerting diagnosis by Erik's doctor. Gabe's compassion for his employees is what made the Portal franchise possible. It's that kind of behavior that leads to good things (namely, Portal) and an incredibly dedicated fanbase.

Matt Mikrovich: Offer up a little more transparency. I get that they are a private entity but when it comes to potential damages to your customers you'd like to think they'd be as helpful as possible in the matter. I don't think just linking people to Annual Credit Report sites offers up the best solution to the problem. Again, don't act like your customers don't exist in a time of crisis, they are the crux of your business in this market, and you'd like to keep your impression amongst them strong. Feeling like an afterthought while my financial information may or may not be out in wild is a disheartening experience as a consumer.

Charles Husemann: Should have been significantly more up front at the start of the entire process and said that customer data may have been exposed but that they are looking into it and will verify things later. That would at least have given people the heads up to start watching their credit cards. Also a little annoyed that they didn't mention what was/was not encrypted a bit sooner.

Ben Berry: They aren’t sure if credit card information was stolen, but passwords and the like were. How many of us try to use a single well made password for most of our accounts? If they have email and password, they have everything for some folks. When they knew they had a breech and they knew it was un-hashed personal data, customers should have been alerted within 24 hours.


The More Forgiving...
Russell Archey: As stated above, the thing that annoyed me the most was seeing that the PSN was down for an extended period of time, but we were not told why. I know it could take some time to determine the extent of the damage, but if there's even the slightest bit of a security breach detected, consumers need to know as soon as possible, not one week later.

Shawn Sines: Again, maybe I'm biased, but I think they handled this pretty well overall. They were forthcoming about the issues once they had the data to support it. This disruption sucks for people, but come on, this was not a great conspiracy by Sony to fleece you of your money or time playing...this is a negative business action with significant primary and secondary losses for the company. There is a line you have to walk with transparency when you discover a problem and have not the time or resources to immediately mediate or mitigate it.

Jeremy Duff: The only thing that I would have changed would have been in the area of timeliness, but I firmly believe that they were held up / stalled by the security investigation that was launched by the security services they obtained. They stuttered with their first few steps, leaving us (gamers) in the dark for the first few days, which was/ is discerning but then they seemed to have gotten their stuff together.

John Yan: After all said and done and I've thought about it, I can't think of anything I would want them to do differently.



Do you think that this will have a lasting effect on Sony’s current standing in the gaming industry?

The Pessimists’ Perspectives...
Tina Amini: Gamers know how to hold a grudge, and they never forget when they've been slighted. Take a look at Duke Nukem Forever. Even after extended previews and the game being showcased at major conventions, there are still many who spew the same joke of, "I'll believe it when it's in my hands and I'm playing it, and even then it's a toss up." After such a breach of trust, Sony will have a hard time regaining that from their consumers. It's said that you should treat others as you want them to treat you, and it's obvious that Sony doesn't have much respect for anyone but themselves.

A Little Here and There...
Matt Mirkovich: Unfortunately not, though they have pretty much forced me to purchase PSN cards going forward. I think older gamers will definitely feel jilted by the inconvenience caused by needing to perform what should be routine online behavior (in changing passwords, checking credit reports and bank accounts), and that isn't something people should have to be worried about when they just want to play video games. In the end the only way Sony can affect their standing in the gaming industry is by releasing quality content and working with developers to make sure their console has the best games while at the same time listening to what the fanbase wants for the console (Like bringing back PS2 functionality to the console).

Charles Husemann: Eventually it will fade but gamers have long term memories. This is in a sense Sony's Red Ring of Death except much, much, worse.

Ben Berry: There will be a dark cloud for a while, and I think the PSN network is certainly going to be set back for the foreseeable future. But in terms of their overall standing in the gaming industry, the minute they announce the new PlayStation, interest will be there

Russell Archey: Maybe not necessarily in the gaming industry as a whole, but possibly from an online standpoint, mostly in terms of gamers buying things off of the PlayStation Network.

John Yan: As long as there aren't any really badly affected users with large amounts of money taken, I think they will be OK. They've been around long enough and they have many loyal followers. We'll see how badly the data gets abused, but I think they will be OK.

Mostly Sunny...
Shawn Sines: No, the attention span of gamers is 32.5 seconds.. once the service is restored the fickle, vocal Internet will move on to complaining about some politician or the latest 4Chan debate.

Jeremy Duff: Despite the fact that gamers have a habit of holding severe grudges, I think that they are easily swayed with a little bit of glamor and pizazz. By the time that E3 rolls around and the focus is onto their newest games and devices, this whole ordeal will be nothing more than an afterthought.

What do you think they can do now to best recover from this entire debacle?

Idealists...
Tina Amini: Recovery will be a long process. Firstly, they'd be very lucky if everyone's credit card information has not been revealed. Although having your name, address and birth date revealed to a hacker with who knows what kind of intentions isn't exactly the most ideal situation to be in, a credit card indiscretion would be far worse. Regardless, they obviously have to let go of concerns of things like DRM protection and focus more on their own security that can potentially (and clearly has) affect their user base. They would also benefit from now being more transparent with the public. Being left in the dark is not helping anyone's affection towards Sony.

Ben Berry: Provide credit insurance to all affected customers. It gives customers free access to their credit reports and any credit inquiries made in their name. And that's just step one. Then provide public details ensuring encryption of customer data. And offer some free time on the service too.



The Rational...
Shawn Sines: Fix the issue, stand up the service and work with customers to understand the situation. In the case of the PCI (Payment Card Industry) information that might have been exposed - well credit monitoring would be nice but impractical and mostly ineffective. They
need to work with the merchants to get those numbers deactivated and reissued ASAP.

Matt Mirkovich: First of all, get PSN back online ASAP, and provide more transparency going forward. Some updates to the status of PSN coming back online via blog posts can go a long way to rebuilding user trust, and it's good to see that they have at least done that. Also reach out to groups that found their security flaws and request their assistance in helping them build a stronger network for all users, rather than chase after them with lawyers. There is a laundry list of things that Sony can do, but at the end of the day they'll have to make their shareholders happy first and their customers somewhere down around ninth or tenth, depending on where that falls between making a new Kevin Butler commercial and filing a missing person's report for Marcus.

Jeremy Duff: Two words: Move forward. It has happened... there is nothing that can be done about the past. Sony needs to simply batten down the hatches and relaunch a secure and working service. They just need to make sure that they make sure their customers know that they have taken the issue seriously and ensure that they will do everything in their power to ensure that it doesn’t happen again. Also, I think that they need to find those responsible for this “breach” and make an example out of them... legally speaking of course.

Russell Archey: Definitely begin (if they haven't already) encrypting all customer data that comes through, including passwords, credit card data, and even addresses. You can't be too secure these days.

John Yan: Pretty much just suck up to everybody. They tried to be so arrogant when they first started marketing the PS3 that it left a bad taste in a lot of people mouths. And then they win some folks back with some good games and now this happens. They need to be humble and continue to try and make the best games out there for the system.

The Unconcerned...
Charles Husemann: Time heals all wounds right? Something like this was bound to happen to one of the online services and Sony made themselves a prime target because of the whole Alternate OS/GeoHot fiasco.


Will this effect their E3 showing(s)?

We’re All In Agreement Here...
Tina Amini: Sony will undoubtedly have a statement of some sort at E3 in regard to this situation. Given their track record, however, they'll be unlikely to allow further discussion. I imagine that no one will resist focusing on the current breach in security, but Sony will most likely resist that angle of discussion. I wouldn't be surprised if they appeared with smiling faces and attempted to turn everyone's attention to their tablet.

Shawn Sines: It won't aside from some whining by those who choose to tilt at this windmill in a few months. Is it bad that this happened? Sure! Will they need to make changes to better protect the network and the customers? Absolutely! Does it really impact the games the company will make or deliver in the next 18 months? Why should it?

Matt Mirkovich: If they allow it to. If they want to discuss it during their keynotes then that is their prerogative, but overall I think they just need to bring strong games to this year's E3 and move on. The press will possibly use this event as a forum to discuss what happened, and people will use the event as an excuse to potentially disrupt Sony in some fashion, but overall I expect E3 to be all about the games.

Charles Husemann: I'm sure this will be mentioned at some point and I think Sony will have to spend at least 5-10 minutes now addressing the new measures they've put into place to protect consumer information. Guessing Microsoft will take at least one or two shots at them during their presentation as well. Nintendo would but I still think they are trying to figure out this whole online thing still.

Ben Berry: Anything that is PSN specific will probably take a significant hit in interest, but I'm guessing they'll still show it unless it's something that's only on the network and not a game related experience.

Jeremy Duff: While it will undoubtedly be the “800 pound gorilla” in the room, I don’t expect it to steal any spotlight. I expect Nintendo and Microsoft to take their digs at Sony and for Sony to even attempt to mock their selves. There will be another official statement made during their presser, but hopefully it is something that they get out of the way right up front and move onto the good stuff such as NGP and new games...

Russell Archey: Not hugely. With E3 right around the corner I wouldn't be surprised if they take a bit of time to talk about it at their presentation. It could actually help Microsoft as they could now mention something to gamers along the lines of how your information is better encrypted or safer with Microsoft.

John Yan: I would say so. They would have to address this issue and that is taking time away or pushing the press conference longer to have to deal with this issue. I'm sure they'll get plenty of questions from journalists at their appointments about this as well.


Do you feel that PSN users are entitled to any sort of compensation for this experience?

High Maintenance...
Tina Amini: I don't think compensation in the form of games, etc. will be enough to heal this wound. Sony needs to rethink their business, and obviously their security plans. They need to ensure that they're putting more effort into the concerns of their users rather than the concerns of their wallet. But perhaps PlayStation Plus free for a year might help ease the pains.

John Yan: Of course. You advertise a feature and you take away a feature that's pretty big, you should be compensated. Then again they took away a few PS3 features, but online gaming and purchases are pretty big for the console. If you can't play some games you purchased in the way you want to, then yes you deserve compensation.

Reasonable...
Matt Mirkovich: Provide some compensation to PSN Plus subscribers. As for free users, offer a sale or something as a sign of apology, this will make the sting of not being able to enjoy some big titles like Portal 2 and Mortal Kombat online a little easier to handle. While I don't think they are absolutely required to do this, it would be a nice attempt to reach out to people who feel they are owed something. Though to be perfectly honest I would be surprised if they do anything at all.

Charles Husemann: Entitled no, expected yes. Sony updated their blog with information today that they are considering something. MS gave away one free XBLA game for their holiday outage a few years ago so there is an expectation amongst gamers that they deserve something. Guessing that free credit monitoring, and a few other goodies are in the works but we'll see.

Jeremy Duff: Not necessarily, though I am sure that Sony is preparing to make amends with free products and services across their various offerings. The only thing that I want, or expect, is compensation for the time I lost on my subscription services, particularly Netflix and PS+. As long as I get an extension on each of those services for the amount of time that I was without them (ok, maybe not Netflix), I won’t have any complaints.

Russell Archey: Yes and no. I can't see anything really big being done (maybe some free time with Playstation Plus) but I can see customers expecting something like free games and such. I've seen plenty of comments on various articles about the issue where people were downright ticked off with Sony about this (and reasonably so given the circumstances), and I wouldn't be surprised if they pretty much demand compensation.

Lenient...
Shawn Sines: PSN users.. who pay nothing? No. Though those who were denied access to subscription services like Plus should receive credit for the time lost and those who are Hulu Plus subscribers should also get time added to their billing cycle for the outage. Netflix still worked during the outage, despite complaining at you beforehand so that might qualify as well. To foster good will, maybe Sony could give all registered users some digital credit int he PSN Store.. since that won't necessarily cost them any real currency and could go a long way to rebuilding customer good will. (I like the idea of getting a free PlayStation One title as compensation for instance or give everyone a free month of PlayStation Plus - it could also serve to turn this into a good marketing opportunity for the subscription service.)


You know how we feel about the issue, now let us know what you are thinking. Please feel free to log into below and leave us a comment on your opinion and position on this issue. I would also like to give a special “thank you” to fellow staff member Tina Amini for helping me put all of this together.

About Author

If you have been here before, you know the basics: lifelong gamer, father, and of course, certified news monkey. I have been blogging on the industry for close to a decade now, in some form or another. It wasn't until I landed here at Gaming Nexus that I really dove in head first. Now, writing about games has become what I do for fun (and sometimes work) and something I intend on doing until the day I die.

I'm a huge fan of just about everything you can interact with using a controller, no matter how old or new, good or bad. If you put it in front of me, I will play it... end of story.

                                                 View Profile

comments powered by Disqus