Sony defends breach reaction - refuses to promise total security
by Steve Ragan - May 18 2011, 07:20While it is true that no system can be 100-percent secure, you would think that Sony’s CEO, Sir Howard Stringer, Kt, and other executives would be just a little more encouraging when it comes to network security.
In a press conference on Tuesday, Sony addressed several topics including data security, their response time to the attacks, and that there is no evidence to suggest Amazon was used in the data breach.
Calling it the “bad new world” during a conference call for members of the media, Sir Stringer discussed the attacks that crippled Sony’s network and exposed millions of customer records. In particular, he vehemently defended his company’s response to the attacks and their process of notification.
“This was an unprecedented situation,” Sir Stringer explained on the call.
“Most of these breaches go unreported by companies. Forty-three percent notify victims within a month. We reported in a week. You're telling me my week wasn't fast enough?"
In a Q&A with The Wall Street Journal he expanded on this [Source]:
“We told people what we believed to have been lost and what we couldn’t rule out within a day of finding that out. That’s fast. That’s faster than what most companies have done. That’s faster than the law required and it was the responsible thing to do for our customers. You can’t find a company that acted any quicker once it found out…”
This strong worded response is a bit different in tone to the one he gave to customers in an open letter earlier this month on the PlayStation blog [Source]:
“I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had — or had not — been taken.”
There are other comments of note listed below. One interesting item is that despite the press coverage, Sony has no evidence to suggest that someone used Amazon to attack their network.
On the gaming community’s reaction:
“These are people who enjoy games. As you know, or as you may have discovered, there are a lot of them…They were angry in the first place because they lost their games, and now they’re happy because they’ve got them back. We’re [Sony] also pleased about that.”
On making themselves a target for attack by suing GeoHot:
“Yes I suppose that might have been part of it. Certainly, Anonymous made references in its letters to the lawsuit that we made. An act was done, which was dangerous to Sony and dangerous to PlayStation, we thought it was a criminal act and we have the right to protect ourselves. What somebody else does in response to our desire to protect ourselves is not really our concern. We felt very strongly that we need to protect PlayStation 3 and its codes, and enough about games to be stolen. Those games are expensive, forty to fifty million dollars some of them, and we didn’t want the thin end of the wedge.”
On if he would do anything differently looking back:
“No I don’t think going back in time does any good. We had the right to protect ourselves and that’s what we did.”
[Source - Audio recorded by Arik Hesseldahl for AllThingsD]
In addition, the Executive Deputy President for Sony, Kazuo Hirai, joined the press meeting via video. He said, “It's a realization that we all had, that no system is 100 percent safe. This requires constant monitoring and constant vigilance,” when commenting on ensuring security.
This is true, but given the public outrage over the security incident, it was disappointing to hear so few details about the investigation to this point, and basic details on what has been done to strengthen data protection.
Not to mention, if reports of lax security are legitimate, then keeping up on security patches and software versions goes a long way towards a hardened infrastructure. To address this, Sony has hired and promoted from within to add additional security people to their IT department.
Sony’s investigation is ongoing, but Sir Stringer said that there would be no reward for information leading to the attackers responsible, as previously speculated in the media. Speaking to AllThingsD, he said that such a reward wasn’t appropriate.
After re-launching the PSN this week, Sony encountered services outages in some areas as a flood of gamers hit the network to reset their passwords. As of Wednesday morning, there were not reports of any further issues.
Comment on this Story