Sony apologizes again for data breach, while wriggling out of responsibility

CEO's reason for delay in notifying customers of breach doesn't hold water

Sony is apologizing again – this time direct from the mouth of its CEO – to its gaming customers for the massive data breach it suffered in April and its ham-handed response afterward.

It also plans to avoid paying, directly anyway, for costs from the breach that could reach $2 billion.

Instead it figures that a "variety of types of insurance" that cover various forms of damage to customers, the environment or Sony's finances should cover the bill, Sony spokesperson Dan Race told Reuters.

"Certain carriers have been put on notice," he said, sounding probably more ominous than he meant to.

Financial analysts are split on how much of the bill insurers are going to be willing to pick up, considering Sony doesn't seem to have had adequate security protecting the 100 million accounts that were hit or the 12.3 million credit-card numbers that might have been taken.

The "automated software monitoring and configuration management" software Sony plans to install sounds like a pretty basic addition – the kind you'd expect a big online service provider would already be using to protect its own networks.

By rights it should also be running intrusion protection systems, data-loss prevention and higher levels of encryption, as LastPass promised to add after getting an unconfirmed indication it may have been breached earlier in the week.

A different Reuters story quotes financial analyst Kota Ezawa at Citigroup in Japan as saying Sony's network-gaming business makes only a small contribution to its bottom line, but that the breach could also hurt sales of hardware. That would be a blow.

Sony still seems to be talking out of both sides of its mouth on the apology, as well.

It is definitely taking the issue seriously, at least from a PR perspective, but the public part of its response to the security issues lacks almost any detail, and it still hasn't come up with a decent explanation for why it waited so long to notify customers of the breach.

The first attack happened April 19; Sony notified the FBI April 22, and notified customers a week later.

"I know some believe we should have notified our customers earlier than we did. It's a fair question," Sony CEO Howard Stringer said at a press event.

"I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had - or had not - been taken," Stringer said.

Blaming hacker obfuscation for not admitting you got smacked is pure buschwa. Knowing who hit you, using what methods, from where and with confirmation of all the data they may have taken does take time.

Figuring out you've been robbed doesn't; Sony knew April 19 and didn't say anything.

That's a reputation-protecting coverup reaction, not an honest evaluation and attempt to redress a security problem, or even to do what is possible to protect customers.

Sony went out of its way to blame the hactivist group Anonymous even late in the game, even after it was also admitting there was no indication Anonymous was part of the attacks beyond the one-day DDOS attack April 5.

Anonymous denies all involvement.

"Let's be clear, we are legion, but it wasn't us. You are incompetent Sony," an Anonymous blog posting said yesterday.

It's hard to disagree.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon