Patrick Seybold has posted another update
this evening to the PlayStation Blog with some clarification of the timing of the when and what involving the intrusion and subsequent data exposure that Sony suffered. In what amounts to a bit of damage control from the heat that Sony has been taking, Seybold pointed out that it does take some time from the point a breach is identified until it is found out exactly what may have been compromised. Seybold’s statement including a link to a FAQ
, which is more of a point-by-point of the letter that was e-mailed to affected subscribers this evening. There is little new info, although Sony did make mention that it will review options about offering compensation to those that had a subscription fee or content impacted. Here is the update form Seybold with the link to the FAQ :
I wanted to take this opportunity to clarify a point and answer one of the most frequently asked questions today.
There’s a difference in timing between when we identified there was an intrusion and when we learned of consumers’ data being compromised. We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until yesterday to understand the scope of the breach. We then shared that information with our consumers and announced it publicly this afternoon.
For those who were looking there’s also an FAQ with some more frequently asked questions
Thank you for your continued patience and support.
In my previous post
regarding why I thought Sony messed up the PR on this, I made mention that it wasn’t the fact that it took so long, but the fact that Sony never once in the process suggested that personal data and account information was compromised. Do not for a second believe that Sony didn't think this data may have been accessed prior to bringing in their forensics company. At issue isn’t when they knew, but that they should have notified the subscriber base that their info "may have been" breached and that a forensics investigation would confirm one way or another. Instead, they took the “safe” way and sat on their hands until they knew for sure, opening them up once again to criticism about how they handle their Public Relations and forcing themselves into damage control mode.