May 01, 2011, 5:21 PM — Earlier today Sony's Kaz Hirai (and other Sony officials) appeared at a press conference to go over the Playstation Network security breach and what they're trying to do to make amends for it. IDG's Martyn Williams covered the press conference already but I wanted to recap and talk about journalistic response to this whole spectacle. You can also read a press release on the Playstation Blog that summarizes much of what was talked about at the conference.
The short take-away is that Sony is beefing up security, hiring a Chief Information Security Officer (a new position for the company) and offering perks to existing customers in the form of "a complimentary offering to assist users in enrolling in identity theft protection services and/or similar programs" as well as free games (no specifics offered yet) and a free month of Playstation+ membership. The service will start to come back online this week with preference given to getting multiplayer gaming up and running again. Again, all this is detailed on the Playstation Blog.
What I really wanted to talk about today was the role of the press in this debacle. Sony, as far as I can tell (and full disclosure, I am a Playstation Network member with a credit card on-file with the service) has been doing a pretty good job of keeping us informed of what's been going on. Sure, it's easy to say, in hindsight, that they should have been faster about sharing the fact that user data was taken. It wouldn't be so easy a decision if you were there in the discovery phase trying to understand how much data was taken, but I'll still grant the point that Sony took too long in making that initial announcement.
I'm less convinced it would've made a significant difference to users if they'd known a week earlier that their data was taken. Aside from increased vigilance, there's not a lot we can do about it, short of moving to a new address.
Anyway, once that initial delay was past they started posting to their blog regularly. They had two updates on the 26th, then one each on the 27th & 28th, and finally the big press conference on May 1st (April 30th, US time). In addition they sent out an email to PSN members reiterating the contents of the initial disclosure.
And yet tech bloggers are calling Sony on the carpet for not being responsive enough. Gamasutra's Colin Campbell, in an anti-Sony screed, said "Sony's response has been predictably pitiful" and faulted the company for using the term "malicious attack" in referring to the break-in (what else would you call it?) and implies that Sony is behaving like a cry baby. What does Campbell think Sony should be doing?
The company should be booking halls around the country and inviting PSN users in for an open Q&A -- hosted by a genuine tough-journalist, not some rent-a-mic ass kisser -- all shown live and connected to an impressive social media wave. All the nasty stuff's got to come out sooner or later -- better this way than in some painful Senate investigation on CSPAN.
So he wants immediate response on the one hand, and for Sony to put together some uber-press junket (which would take weeks to organize) on the other. It's a ridiculous expectation and I, for one, would rather Sony focused on more important things (like getting a secure system back up and running) than giving me a stale donut and telling me how sorry it is. The problem may be that game journalists spend too much of their time in games and not enough in the real world where things take time to organize and resources don't respawn.
Next in my sights is VentureBeat. Dean Takahashi ran a post with the headline Sony says 10M credit card numbers may have been exposed; FBI investigating. What Sony actually said, and has been saying all along, is that they have no evidence that credit card data was taken, but they can't be entirely certain. Do you see the irony here? Journalists scream for immediate information but when they get an incomplete answer they assume the worst and generate link-baiting headlines. If Sony had waited until they were absolutely, positively sure that no credit card data was taken, Takahashi and others would be pillorying them for waiting too long to give out details.
It isn't that the headline is untrue; after all it does say "may" have been exposed. But Takahashi waits until the 4th paragraph of the post to point out "investigators have found no evidence that hackers looked at the data related to the cards."
I'm not done with VentureBeat yet. In another post Takahashi says, apparently without irony:
The problem for Sony is that this story, like the outage itself, has refused to die. We’ve run 15 stories about it so far, mainly because users seem hungry for more information
In other words, a site that is doing everything it possibly can to not let the story die is pointing out that the story not dying is a problem for Sony. Nice. He never explains what he means by "users seem hungry" and I'm calling that a smokescreen for "We bloggers smell blood and we're going in for the kill." It's the tech bloggers that are refusing to let the story die, and honestly it shouldn't die yet; we're not at the end of this process. But neither should we cultivate hysteria by running 15 stories (and counting) rehashing the same material and relaying every random rumor we hear as though it is fact.
For my last example I turn to Cnet's Chris Matyszczyk. After many tech bloggers chastised Sony for not apologizing, Sony pulls together this press event at the start of which Sony execs come out on stage and offer the assembled crowd an apology accompanied by a deep bow. Matyszczyk's response? Sorry, too late. It's clear that there is literally nothing Sony can do to satisfy some of these tech bloggers (most of whom probably aren't even impacted by the breach) and at the same time, almost nothing has been written against the people who actually did the breaking in and stealing of data. That bunch gets a free pass, it seems.
Anyway, I could go on and on; I'm sure you've seen similar examples at other sites. Here's my take on the situation. Sony got hacked, just like Gawker got hacked and Epsilon got hacked. No system is 100% secure. The fallout from the PSN outage and the loss of customer data is going to hurt the company for a long time to come, but they seem to be doing everything they can to make good and more importantly, try to prevent a repeat attack. The company has thanked users for their patience time and again, and now it has formally apologized (honestly I'm baffled over the demand for an apology; I'd rather see a secure site back up and running) and it sounds like they're putting together a package designed both to address serious concerns (the identity theft protection service they mention) and more frivolous ones (free game downloads). I'm not sure what else the tech journalists want, beyond Campbell's ludicrous calls for a series of face-to-face Q&As with all 77 million PSN users. I guess the blogosphere is still extracting its pound of flesh. Disappointing.