December 20, 2014

If It Can Happen to Sony, It Can Happen to You

Bookmark and Share

I hope you have all been reading about the massive security breach that occurred at the San Diego data center running Sony’s PlayStation Network services. That’s because the issue is another example of how the world of cloud computing and massive data centers could disrupt your own business — if you don’t work with experts to help you architect and secure them.

The issue is also evidence that no one is immune from the threat of a cyberattack — not even one of the world’s largest and most innovative technology companies.

There are actually two phases contributing to Sony’s problems. When the PlayStation Network Services — the company’s 77 million-user gaming network — were first compromised, the company simply shut the services down. What wasn’t so cool is the fact that the company didn’t really say what was going on. In fact, it was almost a week before it disclosed what was going on.

As of its first apology — which came out of Japan during the first weekend of May — Sony admitted that it still wasn’t sure what had happened and it essentially announced a “make good,” a plan to offer users of its PlayStation Network services a free month of service. (Right now, the service costs $49 per year, so you can do the math.)

And, at the beginning of May, it promised to get the network up and running within the week.

So far, so good, right?

Only that’s not where things ended. Because after that first very public apology, Sony discovered that there were more underlying server problems than it had originally realized that were at the root of the problem. In fact, the company only began a partial restore of the service this week, almost a full month after the original break-in.

Doubtless, the scale of the services that relied on this data center — close to 100 million user accounts — contributed to the slow restoration. But if it is this hard for a high-tech company to repair a data center security breach, imagine how things will go down for those of you who don’t focus on IT as a core competency.

It will take months and years to repair the damage — the relationship damage — that has been done over the past month. What Sony has been criticized for most is the fact that it originally took almost a week to disclose that there had been a breach and that personal information and confidential credit card information might have been stolen. The cause of the breach is still unknown, and Sony faces a federal class-action lawsuit on behalf of players who may have had their policy breached.

What lessons can you take away from this situation?

  1. You need to disclose security breaches as quickly as you have a handle on the situation. This isn’t just a good policy for compliance reasons, it speaks to the need to make customer service and customer relations a key consideration in any security breach. Most reasonable humans appreciate honesty.
  2. No one is immune, so you should be on alert to any unusual activity.
  3. Trust security to an expert. If a technology company like Sony has problems making things right, how can you reasonably expect to do better?

Speak Your Mind