The recent outage of the PlayStation Network (PSN) has been widely reported, making it as far as mainstream news such as the BBC. In this post I’m going to catch people up on what’s been happening, make you aware of the latest news and then I’m going to try my best to stem the tide of FUD that is already starting to spread across the entire grapevine.
The Story So Far
On the 20th April, PSN and Sony’s Qriocity store suddenly went offline with no warning. This caused a fair amount of upset for many gamers since PSN is the majority of the online component for the Playstation 3 both in terms of content and multiplayer gaming. As days went by, the full extent of this outage began to be felt – no media streaming from content partners such as Lovefilm or BBC iPlayer (UK services), no online gaming has been possible and it hasn’t been possible to buy any content through either the PSN store or Qriocity. In fact, some games are so intrinsically tied to having a connection available that it hasn’t been possible to play them in single-player offline mode because they haven’t been able to contact the PSN servers for things like synching up your trophies.
Hacktivist group "Anonymous" have denied responsibility
During the first few days of the outage, the rumour mill ran rampant. Sony have not been making many friends lately with the way they have man-handled the GeoHot situation, disabled the otherOS feature on the PS3 and generally acted a bit like dicks. In fact, Anonymous, those lovable scamps of Internet retribution, had threatened to launch a campaign against them. Updates from Sony were minimal, initially simply that they were aware of the outage and investigating the cause, until on the 22nd being forced to admit that they had caused the outage due to PSN having been hacked. There was no further information available, and fingers rapidly started to be pointed at Anonymous, who have denied all responsibility (somewhat believably since these are people not at all afraid of grabbing the spotlight with both hands).
The Big Reveal
It took almost a week for definitive word to come out Sony HQ, but last night a statement was posted to the official Playstation Blog in the US, broadly confirming what had already been less officially posted – the services had been hacked and Sony had voluntarily taken them down in order to bring in security analysts and perform a complete analysis. Unfortunately for Sony they had one extra piece of news to add, that their investigation has shown that pretty much all the user data they store had been compromised. For the sake of clarity and to highlight the scope of this, I’ll paste the list of information from the announcement verbatim :
…we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained.”
“If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
Delousing the Rumour Mill
Somewhat understandably the Internet has set its hair on fire over this. There’s a lot of people jumping to a lot of conclusions and Sony isn’t coming off very well at all. The fact that an intrusion into PSN was possible and netted such a trove of personal information doesn’t reflect well on them, and it would be easy to stop there and point fingers. But it isn’t that simple of course. We may never find out what happened – big companies like Sony aren’t known for their transparency – especially over something as embarrassing as this, but it’s worth pointing out that ANYTHING beyond what has been officially announced is speculation in the best case and FUD in the worst – we just don’t know enough details. For the most part, we’re the guys standing in the bank after the robbery pointing out that closing the vault door might have been a good idea – sure, it’s open now but we’ve no idea what the situation was when this hack took place, we don’t know what security they had in place and we don’t know what parts of the announcement are part of a PR strategy. More and more I’ve seen companies employ a system where they announce the worst case scenario up-front and then gradually scale it back over time. It’s meant to lessen the impact to the consumer than letting it build up over time would, they deal with it all once and then get over it rather than having it fester.
I’ve spent a lot of the morning playing devil’s advocate and defending Sony in discussions, mostly because until all the facts are in I’m not prepared to get on the bandwagons of condemnation. I already wasn’t a big fan so if everyone jumps ship to Microsoft, Nintendo and Steam it’s no big loss for me personally, but I think we should do it for the right reasons. If Sony screwed up and didn’t follow proper security procedure then they are to blame, but if they did and these hackers were good enough to succeed anyway, it seems unfair to blame Sony – it’s possible they could be just as much victims as we are. There’s a lot of people less willing to give them the benefit of the doubt though, and this could cause them a lot of problems in the future.
The Bottom Line
There are a lot of lessons to be learnt from this – both from the consumer’s point of view and the service operators. I think we’ll see an increase in awareness of data protection, we’ll probably see people a lot less inclined to store personal information on online services – and in some ways this is the blessing in disguise of the past week’s events : a dramatic increase in the layman’s awareness of potential vulnerabilities. Hopefully all the major players are already hip-deep in a massive security audit and overhaul to do their best to ensure that this can never happen again, but the uncomfortable truth is that there is no such thing as a completely secure system, and we all need to realise that. For my part, I’m probably going to take a long look at how I manage my usernames and passwords – lets say I don’t always follow best practices myself and leave it at that. It’s a wake up call for all of us, and (rightly or wrongly) it’s going to hurt Sony. I just hope that all of the personal information that’s now “out there” doesn’t get put to nefarious use.
