The lesson Sony didn't learn 5 years ago

People are furious with Sony over the Playstation Network breach that compromised the personal data of millions. But Sony proved a long time ago that they don't really care what customers think about security risks.

First, some background:

Earlier this week Sony shut off service for PlayStation 3 users after detecting a breach of the company's servers. Days later, customers learned that their personal data had been stolen.

Now people are asking what Sony should do to set things right. In one article, Lisa Greim at sister publication PC World wrote:

What responsibility does Sony have to the 77 million Playstation Network customers who found out this week - days after the fact - that their personal data, online account info and credit card information were stolen by identity thieves?

"When I see something like this, I want to scream," says Florida identity theft expert Denise Richardson. "It's like a goldmine of information."

Companies in Sony's position typically respond by offering affected users a year of free credit monitoring--something any consumer in the U.S. is entitled to already. "To me, that's nothing," Richardson says. "Thieves are sitting back laughing at that."

Sophisticated data thieves have moved beyond stolen credit cards and use personal info like birthdates and home addresses to open bank accounts, obtain medical services or collect other people's unemployment checks. The fact that many of Sony's 77 million compromised accounts likely include teenagers and young adults makes it worse, she says, because they may not know their data was compromised for years, compounding Sony's potential liability. Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

So now Sony gets to experience the lawsuits and PR black eye others have suffered for failing to communicate a breach in a full, timely manner.

Don't feel sorry for Sony, not that you would anyway.

The company needs to learn the hard lesson that customers come first, and when there's a security breach you worry about saving their information before trying to cover your own skin.

Go back more than five years and you'll see that Sony failed to learn their lesson once before.

The issue wasn't a breach. It had nothing to do with external attackers. It was merely something Sony's BMG Music Entertainment division did to prevent CD copying.

In late October of 2005, security practitioner Mark Russinovich found a rootkit on his computer that had been installed as part of the digital rights management (DRM) component on a Sony audio CD.

Security experts were alarmed from the start, since rootkits were something more typically used by the bad guys. They accused Sony of playing with fire. The experts warned that if more companies used the technology the way Sony did, hackers could hijack such rootkits and cause all sorts of trouble.

Again, that was an entirely different scenario than the Playstation debacle. But the tone-deaf response Sony has made this time is pretty much the same as its response to the security dangers back then.

So what do we do now?

I'd like to think Sony will feel the pain of a much-needed smack to the head with a clue bat. But I don't have much hope. The rootkit controversy blew over and the company's various branches has continued to generate zillions of dollars.

It's up to the customers to force a change by turning to products other than those made by Sony.

The question is, do they have the will to do such a thing?

Like I said, I don't have much hope.

I'm simply here to tell you you shouldn't be surprised.

--Bill Brenner

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies