Seven security incidents in two months - Sony’s nightmare grows (Update)by Steve Ragan - May 23 2011, 21:05
Update 2: YouGov sent over the BrandIndex ratings for Sony and PlayStation 3
4-25-2011 - 12.6
5-03-2011 - 3.9
5-20-2011 - 0.7
4-25-2011 - 30.6
5-03-2011 - 13.6
5-20-2011 - 22.2
So the PlayStation brand is taking a beating, while Sony overall is on heading back to pre-breach levels.
Update: Two pages of expert commentary have been added for additional insight into this story.
It seems that Sony has had to deal with one embarrassing incident after another recently. Like piranha swarming someone injured in a river, it looks like everyone is testing Sony’s security defenses. What does this mean for Sony? Assuming it’s hurt at all by these incidents, can their reputation be salvaged?
It started in April. Anonymous launched a DDoS attack against Sony over their lawsuit targeting GeoHot, who developed the tools needed to add homebrew software to the PlayStation 3. That lawsuit led to a mix of reactions, both positive and negative, from the public at large. However, analysts speculated that the court battle will do little to damage the entertainment giant.
Later that month, the news spread that GeoHot’s case was settled. Yet, there was another problem. The PSN was down, and remained so for nearly a week before Sony first alerted the public to the real reason behind the outage.
Between April 17 and 19, someone cracked the PSN and compromised the user data stored there. Estimates placed the number of victims at more than 70 million. Instantly, Sony took heat for the delay in notification, in addition to heat for the compromise itself, due to reported lackluster security practices and policies. [Source]
Last week, Sony CEO, Sir Howard Stringer, Kt., addressed the delay in an interview with The Wall Street Journal:
“We told people what we believed to have been lost and what we couldn’t rule out within a day of finding that out. That’s fast. That’s faster than what most companies have done. That’s faster than the law required and it was the responsible thing to do for our customers. You can’t find a company that acted any quicker once it found out…” [Source]
The problems continued, as Sony announced in early May that the Sony Online Entertainment network was breached shortly before the PSN, adding an additional 24 million customers to the list of people exposed by the previously reported security incident. At the time this announcement was made, the PSN was still offline and Sony had announced that the SOE was being cut off as well. [Source]
The same week that the SOE announcement was made, Sony was faced with a third breach, exposing basic information on some 2,500 sweepstakes contestants. However, there was no compromise. Sony left the information exposed to the Internet via Google. [Source]
On Tuesday of last week, just as the PSN was resuming normal operations, Sony once again faced security problems. The Web portal where gamers could change their account passwords had a flaw. Sony was forced to take the service offline while a fix was deployed to the Web application. [Source] [Source - Sony]
On Friday, So-net Entertainment, a Sony subsidiary, was compromised. Criminals walked off with roughly $1,225 USD worth of gift points from 128 accounts. So-net spokesperson, Keisuke Watabe, said at the time that it was unlikely the theft was related to the other Sony problems, but noted, “[W]e can’t completely rule out the possibility that there is a connection with the PSN issue.” [Source]
After that, F-Secure discovered a Phishing page running on a Sony server last week, but was confident that it was unrelated to the PSN incident. The Phishing page, discovered on Sony’s Thailand portal, targeted an Italian credit card company. Sony removed it within hours. [Source]
Over the weekend, the public learned that the Greek website for Sony BMG was also compromised earlier this month. Someone posted a database dump with 8,385 user records - including usernames, email addresses, and passwords - to the Web as a result.
This newest security incident, the seventh targeting Sony in two months, was due to SQL Injection, leveraging application vulnerabilities on the domain. [Source]
[NOTE: We have been told that we overlooked an 8th attack. Details on that attack are here. While we regret missing the defacement on the Sony domain in Indonesia, we will leave the story title as is, and focus on the seven items we started with. We'd like to offer thanks to @attritionorg on Twitter for pointing this missing item out to us.]
Looking at the combined weight of the security problems Sony has faced, including that some of the later incidents are inconclusively linked to the original PSN breach, means that while Sony has hired more security staff and added additional layers of protection, they haven’t had time to take hold.
This is to be expected, as none of the new security investments will work overnight. However, it does demonstrate that previous measures were spotty at best. Still, what does this mean for the future of Sony? Will their brand suffer any problems? If it does, can it recover?
In company marketing materials, Sony talks about how they recognize the power of their brand.
“In April of every year a large number of new employees join the company. And what I always say to them is that we have many marvelous assets here. The most valuable asset of all are the four letters, S, O, N, Y. I tell them, make sure the basis of your actions is increasing the value of these four letters. In other words, when you consider doing something, you must consider whether your action will increase the value of SONY, or lower its value.” - Sony’s Chairman of the Board, Norio Ohga
The public charges against Sony, based on mounting security problems and spotty communication, have done little to increase the value of those letters. At the same time, it isn’t as if Sony hasn’t tried. They offered insurance to the customers impacted by the security issues, free games, and network time credits.
Was that enough?
Recently, security firm SecurEnvoy sent The Tech Herald an interesting press release based on research at InfoSec Europe. In it, Steve Watts, the co-founder of SecurEnvoy, called Sony inept, when speaking about how they addressed the two largest data breaches.
“This is a multi-faceted issue for Sony. Not only have they cheesed off their user base - many of whom work in the IT sector - by losing their credentials, but they are preventing those same users from enjoying their leisure time online. This is a classic case of royally upsetting - on multiple fronts - the very people who are key influences on purchasing Sony kit and services in a business environment. The brand and other reputational damage that Sony has done – and continues to do - is incalculable,” he added.
According to BrandIndex (brandindex.com), Sony’s buzz score fell from 30.6 to 13.6, when measured from April 25 until May 3. During that same period, the buzz score for the PlayStation 3 brand fell from 12.6 to 3.9. [Source]
Significant drops to be sure, but Sony was able to recover after they started to open up when it came to security problems and what they're doing to address them. Scores in the U.S. climbed in addition to those in the UK and Germany, as May pushed forward. [Source]
Not everyone agrees that the Sony brand has taken such a major hit that it cannot recover from it. Wedbush Securities analyst Edward Woo, speaking to NowGamer, said that people have short memories when it comes to problems.
“People tend to have short memories, and if the benefits are still there (mainly the PS3 is still a good game system, which it is regardless of PSN) they will come back. Just look at recent company major blowups like BP, Ford Explorers, or even Microsoft with Xbox 360. People came back to these companies as their overall product was still good or was fixed.”
It’s not clear if Sony will have a long fight to regain consumer trust or brand value. We’ve reached out to a few experts for comment and will add their thoughts to this story as we get them.
What is clear, is that Sony will have a hard time securing every aspect of their networked properties, and that the process required to do so will take time. How they react and communicate with the public after any future growing pains will make all the difference.
Tell us, how confident are you in the Sony brand? Has any of this changed your opinion of the company and its offerings?
[Expert comments on the following pages]
As promised, here are some thoughts from experts in branding, media, and public relations. The Tech Herald would like to thank each person for taking the time to share their thoughts and answer our HARO request.
“Sony is no different than any other company whose bad choices led to a consumer confidence / PR nightmare. Most consumers will tolerate one or possibly two faux pax; however, having had seven security violations (allegedly) does put Sony in a league of its own. Advances in technology has brought us all new opportunities to go along with the challenges - either of which can turn a simple comment into a whisper heard around the world in minutes.
“The road to damage control and reputation recovery will be long and rocky, but they can come through this stronger and better. Sony has some hard decisions to make. Research shows the quickest, but toughest, path is to "come clean" - to be transparent in what has happened and what they are doing to fix the problem.
“They need to incorporate both new media (non-traditional) and traditional vehicles/resources to accomplish this - a place on their website for daily (or more frequent) updates (here is what we’ve done and here is what we are working on); frequent tweets; CEO interviews with some of the biggest news reporters/anchors in the business; video (to post on places like YouTube and their website); keeping updates to employees but also asking for their help in reaching out to customers; and Facebook updates and offers and reaching out to all stakeholders - both to update them and ask for their help.
“Think of it as a massive PR campaign that is carried out in hours and days rather than weeks and months. History shows that most companies that have a crisis communication plan already written and in place prior to a crisis where this plan includes many of the things mentioned above, are more successful than those companies who ignore (or deny) the problem.
“Think J&J (the 1982 Tylenol) and JetBlue Airlines on Valentines Day 2007. If Sony decides to take the opposite approach (denial or shifting the blame) then it will take much longer (if ever) to recover. Often companies who go this route do so because they were advised to by their legal advisors or they underestimate the power of social media and the internet. Think Pet Menu Foods (2007), J&J (2010), Exxon Valdez (1989-90) and BP (2010).”
- Dr. Carol Stewart, Adjunct Professor of Management, Southern CT State University
“Yes, Sony's reputation will be hurt - and the damage will last long after the problems are solved. Reputation is managed. It's not a perception. It results from consistent and ongoing attention paid - by management - to key actions and activities that lead to brand perception.
“Unfortunately for Sony, because they let the security issues slide in the early stages by not ensuring adequate controls, did not act immediately to inform their customers that a breach had occurred and then have allowed multiple occurrences to follow, the distrust the public will have in Sony's _ability and willingness _to protect their most important private information will last far longer than the problem.
“This is both particularly sad - because Sony is an excellent company - and an important warning to all companies doing business online: No matter how much you're doing both to protect and respond to your customers, you need to do more.”
- Leslie L. Kossoff, Founder and Principal, The Kossoff Group
“We strongly feel that Sony has messed up big time and no amount of free games and really help to fix consumers trust in the online service again. Sony hasn't been fully transparent on what has been happening and why their systems have been so faulty. But now exposing their customers information to world has left a sour taste in users mouths. Sony needs to be 100% transparent and discuss openly with their community about this situation and how this can be quickly solved.
“Also, Sony needs to publish information on how their community can protect themselves against these types of attacks. If Sony can fix the issues once and for all AND offer consumer education by becoming a go-to source for online privacy then they should be able to win back their trust from consumers. Otherwise everyone will be playing offline on PSN.”
- Mike & Everett Street, owners ButtonMasherz.com
“Despite the many security breaches, Sony's reputation will survive intact. They will survive because of the areas of their businesses impacted, the way they are handling it, and the new culture we live in where security breaches are becoming a common occurrence. Gamers care more about the gaming experience and less about their privacy, so they are not as disturbed by the idea of their personal information being out there in cyberspace.
“In addition, many of the credits did not belong to the gamers, who are underage, but their parents, so these gamers will never appreciate the situation. As well, the fact that Xbox suffered a similar fate has blunted the impact of Sony's announcement. Sony's challenge is to ensure that they are perceived as working hard to fix the problem. Eventually, they will, and all will be forgotten. The moment Sony comes out with another best-selling game, it will be business as usual.”
- Mario Almonte, PR specialist, Huffington Post blogger
“When a company or an individual has failed in a public way in America, it is important to admit it. I advise companies to say the truth, say it fast, and say it all. Americans will forgive you for screwing up, they will never forgive you for covering up. Tell the truth; tell people why the failure happened, what is being done to prevent it in the future, and why it won't happen again.”
- Paul Draper, cultural anthropologist
“Sony's reputation for delivering good electronics will not suffer- they have consistently delivered products that perform well at a fair price. However, as a whole, the confidence of consumers and digital integration electronics will plummet, as not even the most respected brands seem to be able to keep their customer details confidential.”
- Rabbi Issamar Ginzberg, Monetized Intellect Consulting
“Yes- Sony has and will continue to lose some business over these recent incidents. However the key is that they become proactive-and address this situation immediately and honestly. They have to inform their customers and potential customers- what they are doing- moving forward. Being proactive and honest are the keys for managing your reputation.”
- Janet Boulter, Business Advisor, Center Consulting Group
“Sony’s reputation has suffered, but it can recover. After all, there have been several major data breaches in recent years - so to consumers, this appears to be a new category of risk everyone faces, rather than a problem that is limited to Sony. I actually think the network shut down is probably more damaging to Sony’s PSN viability than the data breach itself.
“Avid gamers aren’t going to be turned away by the risk. They will be turned away by repeated network disruptions. As long as Sony can avoid prolonged shut downs going forward, put more money into its PSN security, remain competitive in the gaming market and deal appropriately with affected customers, it should recover from this ordeal.”
- Michael Sias, Manager, Firm Nineteen, LLC
“Sony, not unlike Toyota, has a very loyal customer base that will look past these security issues. No firm is truly insulated from such attacks. Sony, unlike Toyota, has had a larger issue of over the past few years of perceived slipping quality, so any negative headline will not help their attempts to regain their one-time image as the premium brand.”
- Edward van Eckert, AVP Marketing and Media Relations, Novantas
"Sony's reputation? It used to be what Apple is today, the company that made the cutting-edge products we got excited about. While Apple could stumble at any time, the reputation of Sony is not very strong among young consumers who are using Apple's iphones, iPods and iPads as the soundtrack and translator of their lives."
-Dan Callahan, Managing Partner, Elasticity
"Sony's reputation has already suffered according to evidence in recent polling (1). Retail outlets are also reporting that there is a significant rise in Sony PS3 returns and exchanges (2). Sony will also experience a long term effect of these security breaches as today's consumers have increasing privacy concerns. History has shown that security holes in software affects consumer perception as is arguably demonstrated in ongoing security concerns with Microsoft Windows and Internet Explorer vulnerabilities.
"At the time of the Sony outage, PlayStation Network had 77 million registered accounts. Besides the possibly of credit card data being stolen, it was also revealed that personally identifiable information, including passwords, were unencrypted. This demonstration of unprotected data and personal information will be a permanent smudge of Sony's record. Parents of young and teenage games will be reluctant to allow their children to join these networks if their privacy and safety is not safeguarded.
"Son'y has been criticized of their handling and response to the security breach. They were wrong to wait for so long to report on the breach. Moving forward, the best they can do to help restore their reputation is have absolute transparency with the issues they are having and their plan to correct them."
- Peter Quintas, CTO, Retail Business Development
"Spin can't deflect or protect a company's public image. A company's reputation is built over years and must be grounded in reality. The best PR company in the world can't fix a corporation with a poor record of product reliability, safety, labor relations or customer service. The underlying problems need to be fixed first."
- Kirsten Osolind, CEO of RE:INVENTION, Inc.
Former National Marketing Director of Whole Foods Market
"SONY is a highly respected, internationally recognized company - with a history of competance and leadership in our digitized society. The recent security snafus, though problematic, will be conquered with relative ease. The initial statement from Hirai was a phenomenal start - he was confident, knowledgable, and most importantly - appeared to be sincere in his concern. The sheer honesty of SONY's response to the situation will no doubt go a long way towards easing the minds of its customers."
- Rebecca Maguire, President, Maguire Media Group, LLC.