The online component of the PlayStation 3 video game console has been down worldwide since April 20th, greeting millions who tried to access the service with an error message. Despite public outcry, Sony was initially quiet on the issue, leaving frustrated gamers unable to play games online with their friends.
The timing was especially poor, with with the release of two much-anticipated, high-profile titles with online play, Portal 2 and Mortal Kombat. Unlike Microsoft’s competing Xbox Live service, which requires a monthly fee, the PlayStation Network is free for PlayStation 3 owners.
However, it became apparent that this was much more than a simple network outage.
Sony finally admitted on April 25th that the security of Sony’s PlayStation Network and Qriocity services had been compromised by hackers in a breach between April 17th and 19th. Unsure of the extent of the breach, Sony shut down the services to investigate what had happened. Personal information of the 77 million users was stored in an unencrypted format, allowing the intruders to obtain users’ names, addresses, email addresses, birth dates, and more. Sony initially believed there was no evidence that credit card information, which was stored separately in an encrypted format, had been stolen.
However, in a news conference Saturday, Sony revealed that 10 million credit card accounts may have been exposed. Kaz Hirai, Sony’s executive deputy president, offered a public apology and promised to compensate customers. “We offer our sincerest apologies,” Hirai said, then bowed deeply in a Japanese custom showing regret.
While maintaining that Sony acted as quickly as it could, there could be potentially devastating legal consequences. Even before Sony admitted that millions of credit cards had been compromised, multiple class action lawsuits had been filed against the Japanese corporation resulting from the breach. Sony is working with law enforcement, including the FBI. Attorneys general of 22 states are also investigating the incident, including Sony’s delay in notifying customers of the breach.
“The fact that sensitive information was apparently accessed without authorization makes me especially concerned about the possibility of financial fraud and targeted phishing scams,” George C. Jespen, attorney general for Connecticut, wrote in a letter to Sony Computer Entertainment America President Jack Tretton. “What is more troubling is Sony’s apparent failure to promptly and adequately notify affected individuals of this large-scale breach.”
“In this era of increasing reliance on technology, it is vitally important that all entities entrusted with nonpublic personal information employ the highest levels of data security,” he added. “For a company such as Sony, which manages an extremely large customer database and online network for PlayStation users, the security of consumer information is critical.”
Sony has promised affected customers 30 days of free access it’s Qriocity and PlayStation plus services, as well as credit card protection for the 10 million customers whose data was compromised.
However, it’s going to take a lot more for Sony to rebuild their users’ trust.