How to respond to a data breach without doing any good

Sony can't seem to figure out how to stop getting pwned

If you're the head of any important service at a big company – especially if it's a sensitive one like security – you know it's not going to be a good week if stories in the global media refer to the most recent canned reassurance to customers as the company's "latest" apology.

Especially if the previous apology was only a day or two before.

And the second apology had to include admitting hackers got credit card data as well as the "personal information" of customers taken in earlier attacks.

If you'd been nailed by Anonymous, the hactivist group that successfully attacked Iran, China, Libya, Egypt, MasterCard, Visa and the Church of Scientology, you'd at least be in good company.

Sony had to counter rumors that Anonymous was the culprit, though, after Anonymous itself announced "for once we didn't do it."

The series of attacks on various Sony properties is making one of the largest high-tech companies in the world look like it secured its front gate like a fortress, but never put a latch on the screen door out back.

The company that once bragged its game console was essentially unhackable (before it was successfully hacked by a 20-year-old), first had to close down its Playstation networks, admit it had lost personal data on customers, and now has had to close down the networks running its pure-online games like Everquest 2 and DC Universe Online.

Initial reports said hackers might have taken personal information on as many as 77 million people. Sony eventually said the number is closer to 10 million, and wouldn't confirm that the information stolen included credit card numbers.

As disaster mitigation goes, that's not a big improvement.

If whoever cracked Sony open this far takes things one step further they'll be getting corporation information from Sony corporate servers before Sony executives do.

The attack was launched not from outside, but from an application server within Sony's network that was already protected behind a web server and two firewalls.

Successful hacks always chop away some of the confidence customers have in the company that was hacked.

If they handle it well, that confidence can be rebuilt.

Sony handled it really, really badly.

Keeping the attack secret for more than a week, giving few details at first about what had been hacked and what kind information had been lost, and assuming a few free offers, a couple of apologies and announcing it had hired a new chief of security were all good steps.

But the CISO job is new, which just emphasizes the low priority Sony put on security before its giant online services were cracked wide open.

The WSJ quotes Sony execs as saying the hackers "may" have taken 12,700 credit-card numbers from customers outside the U.S. and 10,700 U.S. bank account numbers from an "outdated database from 2007."

Not much consolation there, I think.

The FBI is investigating the attacks. Congress is investigating Sony.

Sony says it's cooperating with both investigations, but won't testify.

It is posting too-little, too-late notices and warnings to customers on the Playstation and SEO networks.

Somehow it doesn't seem as if anything it's done so far or has announced plans to do is going to either improve security much, or rebuild the confidence of customers that giving a credit-card number to Sony is any safer than just emailing it to the return address on unrequested email from the former finance minister of Nigeria.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies