The other month when I wrote the article "If You Can't Beat Them, Invite Them In" about Sony's response to PlayStation hackers, I wasn't being as literal as Sony seems to have been. In what is anticipated to be the second largest exposure of consumer data from a corporate network breach, Sony's PlayStation Network (PSN). has been hacked, and is down for the count.
Initially, Sony was quite tight-lipped about the sudden downtime of PSN. There were rumors that it might have been hackers, with a number of people pointing to Anonymous, a loose-knit group of "hack-tivists" that had previously been targeting Sony because of the company's handling of George Hotz and his hack of the PlayStation firmware (i.e. on his own device). Anonymous denied any involvement in the recent hack of the PSN.
Over a week after the service went down initially, Sony notified users via email that their account details were compromized. The delay in telling users about the data theft certainly doesn't bode well for Sony, and depending on the details may run afoul of certain state laws regarding user notification of data theft. More troubling is that Sony's user data was unencrypted on its servers. Though credit card data was encrypted, the user data (which based on Sony's email seems to include passwords) was kept on the servers in plaintext. This is terrible security practice, especially for passwords. Since Sony has security questions and answers, emails, and passwords in the clear, that data can be quite easily used to access many, many accounts elsewhere on the Web for compromised users.
Already, the lawsuits are starting to pop up. Two have been filed in California, which has several laws in place advocating for user rights in the case of a data breach. Both are seeking class-action status.
All of this is very, very bad for Sony and its customers. Users need to be extremely wary, changing passwords (and security question/answers) that were the same as their PSN, and avoiding giving any more information to phishing scams. On top of this, users have been without the ability to play several launch titles (like Portal 2) online, PlayStation Plus users are paying for services they can't be receiving, and because of how most of the PlayStation software operates in an attempt to prevent piracy, system applications such as Hulu can't be used while the PSN is down.
This latter issue is compounded for Sony with the coinciding release of Hulu Plus on the Xbox 360. Hulu has already stepped up and offered PlayStation Hulu Plus subscribers a free week credit for the downtime. Sony hasn't said anything about compensation to users at the time of this writing, and still hasn't provided an estimate on when services would be resumed.
All in all, Sony's handling of this issue has been terrible, from the security practices in place initially to the PR response so far. Keeping the network down and remaining tight-lipped was one of the worst possible tactics. I'd really like to see Sony move quickly to restore service, and provide a user data "double-check" that would let users login using their old credentials, see what data they had provided the PSN (in order to go about changing that data on other accounts), and prompt for new passwords/security questions (which this time would hopefully be encrypted).