Skip to Content

Sony’s Security Breach Shows Perils of Secrecy

After PlayStation Network was hacked into, the company should have been quicker to share information with users, experts say.

The damage done by the attack on Sony’s PlayStation Network last month—an event that exposed personal information on 100 million accounts—is still being calculated, but was magnified when Sony offered only delayed and incomplete information to users, some experts say.

Sony faces numerous Congressional requests, including this one made last week—as well as subpoenas from New York’s attorney general—seeking more information about what information was stolen, and the nature of its security defenses.

Howard Stringer, chief executive of Sony, has said the breach is the largest of its kind ever experienced by a company. But the details of the attack are still largely murky. “We have this problem with all such attacks. We never know what happened, how bad it is, what they did, or how they did it. Nothing,” says Bruce Schneier, a renowned security expert. “There is no visibility at all, and Sony is particularly ham-fisted about saying stuff and then retracting it.”

In a response to an earlier letter from Congress, Sony said it faced an “extraordinary” situation in which information about the intrusion “was neither immediately nor easily obtainable,” and it acted prudently in shutting the network down quickly while investigating what had happened.

Sony shut down the PlayStation Network from April 20 until May 15, when the company started getting its networks back online. Sony estimates that the incident cost $171 million.

Although the attack started sometime between April 17 and April 19, it wasn’t until April 26 that Sony announced that massive amounts of personal information had been exposed. For seven days, Sony made only cryptic statements to explain network outages. On April 20, the company published a one-line blog post saying: “We’re aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information.”

On April 21, Sony said it was still investigating. On April 22, it said there had been an “external intrusion on our system.” On April 23, it said it was “rebuilding our system to further strengthen our network infrastructure” in part to “provide the system with additional security.”

Three days later, Sony finally issued a more detailed statement on the hack, confirming that names, addresses, birthdates, e-mail addresses, and other information for registered users of its PlayStation Network and Qriocity—which provides streaming media—had been stolen. It gave customers advice on how to protect themselves in case of identity theft.

Later that day, an angry user named “jonabbey” commented on Sony’s PlayStation blog: “It’s rather incredible that this is the first meaningful communication you have given us. Many of us who are savvy enough to be reading your blog are technical enough to be running our own Internet services, and you really can’t go wrong by over-communicating, here.”

Schneier agrees. “You need enough information so researchers—and also customers—can make intelligent decisions,” he says. “But the companies don’t want the customer to have visibility. They are perfectly happy not talking about the details, because the details are embarrassing.” 

Schneier added: “Right now, you as a customer have no choice but to trust Sony— or Citibank, or your phone company, or Facebook, or Amazon, with your information—and you have no visibility and no control over how they secure it.”

Last week, the White House announced a legislative proposal that would increase penalties for those who hack into computer systems—but only if the target involves critical infrastructure, which is yet to be defined.  Under the current Computer Fraud and Abuse Act, penalties only apply to attacks on  financial or government networks. Melissa Hathaway, a consultant who served as President Obama’s cyber policy advisor in early 2009, says the proposal should extend to incidents such as the Sony breach. 

“This is an opportunity to actually create more of a domestic deterrence policy statement that any computer that is penetrated for whatever reason should fall within this law,” Hathaway says. “The laws should determine that the hacking is illegal, and that the effects of the hacking should determine the penalties. It’s time that the government declares that the computer systems of all entities—government, commercial, education—are interconnected.”

The White House proposal would also create a federal law requiring companies to notify users of breaches that expose their personal information in the United States. Currently, a patchwork of 47 state laws govern such notification.

Keep Reading

Most Popular

A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?

Robot vacuum companies say your images are safe, but a sprawling global supply chain for data from our devices creates risk.

A startup says it’s begun releasing particles into the atmosphere, in an effort to tweak the climate

Make Sunsets is already attempting to earn revenue for geoengineering, a move likely to provoke widespread criticism.

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

These exclusive satellite images show that Saudi Arabia’s sci-fi megacity is well underway

Weirdly, any recent work on The Line doesn’t show up on Google Maps. But we got the images anyway.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.