Game over! Lessons from the Sony PlayStation Network Fiasco

For those of you who are not online gamers, you might not be aware of the major hacking of the Sony PlayStation Network that occurred in April, which caused the company to shut down that service. Recalling an earlier post, 10 things to consider before you migrate to cloud services, there are some lessons to learn from the Sony experience…

In mid- to late-April, reports began to circulate in the media that one of Sony’s networks had been hacked. The only sign of trouble was that there had been a major outage of the online service for Sony’s PlayStation 3 and portable consoles, the PlayStation Network. However, as the outage continued and frustration among gamers grew, on 22 April Sony reported on its blog that its PlayStation Network and Qriocity services had been affected by an “external intrusion”. The company suspended the two services until further notice, and explained that its efforts to resolve this matter involve re-building our system to further strengthen our network infrastructure.

What eventually became clear was that details for PlayStation Network’s members, which number 70+ million, had been stolen. The stolen information included names, addresses, and possibly credit card numbers (TechCrunch). As expected, Sony has been working assiduously to rebuild its network. Additionally, it has established a free identity theft insurance protection programme for each of its PlayStation Network and Qriocity members who sign up for the protection. The programme includes up to USD 1 million in coverage per person to cover costs associated with an identity theft incident linked to its hacked network. However, while Sony tries to extricate itself from this mess, there are a number of lesson we can learn.

1. Do not underestimate the commitment of hackers. Sony is a huge and reputable company, hence there is an expectation of top-notch online security. However, there are cyber-criminals who have dedicated themselves to breaching cloud security. For example, on top of all of Sony’s problems with its PlayStation Network, on 22 May, news began to trickle out that Sony BMG in Greece had been hacked and user data had been exposed (Sophos). The stolen information included the names, email addresses and usernames of registered site members. On 24 May, it was reported that the website for Sony Music Japan was hacked. Although data from the site was exposed, it appeared not to include personal user information. However, the attackers left some evidence of their infiltration and highlighted additional weaknesses of the site (Sophos). Then on 25 May, Geek reported that Sony Canada has been hacked and the personal details for 2,000 members had been stolen.

2. Businesses are not as vigilant as they should be.  Cloud providers and businesses that are operating or involved in cloud-like services are often aware of the type of threats and ways they could be vulnerable online. However, over the last few years, experts have been of the view that cloud operators and providers in particular have not been vigilant enough to try to keep one step ahead of the criminals.

3. Encryption is not a panacea for online security. In an article recently published by the BBC,

William Beer, director of Price Waterhouse Cooper’s security division, says “even if credit card details are encrypted, there is software that may be able to decrypt it given enough processing power” once it has been stolen from the cloud itself.

Encryption is often seen as a silver bullet. We need to be very careful because there are many different types of encryption. It can introduce an air of complacency into organisations and what we’re starting to see are criminals actually looking to the cloud.

Hence the objective of online security is really to prevent a breach. Once a network has been successfully hacked and information stolen, the thieves can then concentrate on cracking the encryption.

4. Cloud/network security is an intensive undertaking. As unpalatable as it might be, online security is a resource intensive undertaking – not only in terms of cost, but with regard to the manpower and effort that must also be continually made available. It is not enough to design and implement the agreed security systems, considerable and comprehensive testing must be performed regularly. The systems must also be upgraded as and when new threats are reported, and not necessarily based on a scheduled timeline only.

In closing, it is important that we learn from Sony’s experience. The company has estimated the cost of the PlayStation Network breach at USD 171.5 million (PC Magazine), which might be a conservative figure, in light of the fact that the network has only in recent days resumed service. Further, the figure does not factor in the cost of the Sony BMG Greece, Sony Music Japan and Sony Canada  breaches, along with any other hacks that have occurred but have not been as widely reported (e.g. Sony Thailand and Sony Indonesia). Ultimately, a pre-emptive approach would be far cheaper than the cost (not just financial) of all of the repercussions that have already occurred, and will most likely continue for months and possibly years to come.