In the course of the last five or six years, there has come to be a fairly well-established and familiar cycle for data breaches. Company X discovers an attack that compromised some customer data; it investigates and assesses the damage; it reports the breach to the relevant authorities and apologizes publicly while absorbing a beating from the press and angry customers; it moves on with its business. But Sony officials have added another link to that chain–the righteous defense–and in the process may have changed forever the way that companies handle data breaches.
Strange things are afoot in the security world.
For the better part of the last month, the attack on the Sony PlayStation Network and other of the company’s online resources has been at the top of the headlines. The intrusion was a massive and massively embarrassing one, with Sony having to take the PSN completely offline for a month while it investigated the scope of the attack and determined how much customer data was stolen.
At first, the company was silent on the reason for the PSN outage and it wasn’t until a week later that officials admitted that the company’s database of PSN customers had been compromised.
Details began to trickle out bit by bit and eventually Sony executives said that some data from all of its 77 million PSN customers had been stolen, although it’s still unclear how much data the attackers stole from each customer. In the wake of the attack and Sony’s delayed admission of the scope of the incident, customers and security experts lashed out at the company for not being more responsive and up-front about what happened and letting people know sooner that their data had been stolen.
In what has become the accepted form, Sony officials then apologized to its customers, and in a response to questions from U.S. lawmakers, said that the company had been “the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack.”
In other words, the bad guys were really good and there’s nothing we could have done to stop them. Sorry.
The next step in the cycle came this week when Sony turned the PlayStation Network back on and offered consumers a welcome back package as a make-good for whatever pain and suffering they’d had to endure. Everything seemed to be in place for the company to move on and the incident to take its place on the Mount Rushmore of data breaches, alongside the ChoicePoint, TJX and Heartland Payment Systems incidents.
But a funny thing happened on the way to the wood shed: Sony got angry.
In a series of interviews on Tuesday, Howard Stringer chairman and CEO of Sony of America, went on the offensive, saying that the company had in fact acted more quickly than most others in its position do, and adding that the incident was “unprecedented” in the history of modern data breaches.
“This was an unprecedented situation,” Stringer told Reuters on Tuesday. “Most of these breaches go unreported by companies. Forty-three percent [of companies] notify victims within a month. We reported in a week. You’re telling me my week wasn’t fast enough?”
It’s unclear where Stringer’s citation of 43 percent of companies reporting in a month comes from, but his contention that Sony acted as quickly as it could under the circumstances may be a valid one. In its letter to congressional leaders earlier this month, Sony said that the attack on the PSN systems was just one piece of a larger puzzle that included DDoS attacks against some of the companies servers and a separate but possibly related intrusion on some other Sony servers. Given the size of the PSN and Sony networks and the number of customers involved, Stringer’s assertion that a week is a decent response time seems reasonable.
But that’s not what customers want to hear. They want self-flaggelation and humility and apologies and some sort of punishment for Sony. People are tired of getting breach notification letters, having to request new debit and credit cards and worry about whether someone else’s mistake is going to cost them money. They want companies such as Sony and Michael’s and others to suffer for their mistakes.
But if you’re waiting for the market to punish these companies, you’re going to be sorely disappointed. It’s not going to happen. Some customers will be angry enough to stop using the PlayStation Network or drop Sony products altogether, but it won’t be enough to make any difference to the company.
As Stringer told Bloomberg, the breach is “a hiccup in the road to a network future.” And he’s probably right. One consequence of the proliferation of data breaches in recent years is that consumers have developed a callous, they’re fatigued by all of the incidents. They’re angry, but at the same time they know there’s little they can do to show that anger to the companies involved.
As it stands, the companies have the upper hand, as usual. But if Stringer’s angry response becomes the norm, perhaps the winds will shift a bit and customers will find a way to make their own displeasure known.