A real case from the IT security area
Student’s Name
Institutional
COURSE
Professor
Due Date
Title
An Investigation into the Sony PlayStation Hacking Crisis
Abstract
The report's goal was to examine the Sony PlayStation Hacking Crisis. The Sony PlayStation
hacking crisis exemplifies the all-too-common problem of personal data theft in the digital
information age. The hacking necessitates the need to consider how such a crisis could be
avoided in order to protect customers' personal information and ensure client-vendor trust. The
study focuses on evaluation. The Anticipatory Model of Crisis Management was used to
investigate the Sony PlayStation hacking (AMCM). Making Use of the AMCM. It was discovered
that Sony Corporation could have handled the crisis better.
Introduction
Organizations will invariably face crises, and whether or not the organization is prepared for
a crisis determines some of the severity of the crisis at hand. Scholars argue that a model is
required to assist. Prevent crises from arising, which would otherwise necessitate the creation of
the Crisis Management Anticipatory Model. Sony's April 2011 crisis is an important case study
for researching the effects of an organization's crisis on its customers. better comprehend the
ramifications of certain actions taken to alleviate the effects of a crisis Sony had a security
breach. infringement on its PlayStation online service Millions of customers had personal access
to the network. Credit card information was among the data stolen. Sony calculates the
PlayStation Network's losses. $171 million was stolen. The goal of this paper is to examine
Sony's crisis through the lens of the Anticipatory Model of Crisis Management in order to
highlight Future implications for online service providers are significant.
At first, it didn't seem like a big deal. After all, outages on various gaming networks are still
fairly common, and the PlayStation Network in 2011 was not exactly known for its dependability.
The timing was unfortunate, coming on the heels of highly anticipated PS3 releases such as
Portal 2 and SOCOM 4: US Navy SEALs, but frustrated gamers could no doubt find something
else to do, get a good night's sleep, and give those games' online functionality another shot the
next day.
The PlayStation Network would be completely unavailable for 24 days. Beginning on May 15,
Sony gradually restored the service over months, with some regions, such as Japan, experiencing
downtime for up to 76 days.
While this was an unprecedented period of downtime (and security lapse) for a major gaming
network, it was not entirely unexpected. Indeed, just a few weeks before, the hacker collective
Anonymous warned Sony that it was planning a series of attacks against the company in
retaliation for its legal pursuit of hackers who cracked the PS3's anti-piracy measures in 2010.
"Cyber-attacks are one of the unfortunate realities of doing business today," Zynga said in
announcing the breach, downplaying its failure to secure customer information, failing to
mention that 173 million users were affected by the failure, and encapsulating the seemingly
defeatist attitude toward the subject that so many companies today have.
Looking back on the PlayStation Network hack, I can't help but think that the real lesson
companies learned was that jeopardizing the safety and security of millions of customers is only
a big deal if it takes your service offline for an extended period of time.
Case Report
Sony Corporation is a company that manufactures a variety of electronics. The PlayStation
gaming system is one of Sony's most popular products. Sony was subjected to a massive security
breach. In April,20th of November, 2011 Sony executives began to look into it. unusual activity
on the PlayStation network ultimately resulted in the theft of more than $100 million Personal
information about PlayStation users, and for some, 2-4 credit card information. Sony shut down
the network the next day after suspicious activity was discovered, and despite Sony's almost daily
announcements The company waited for the system outage. almost a week (six days) after the
initial recognition to 3, 5-6, make an announcement about the hacking. In Sony is said to have
invested in the end result. around $170 million to cover the costs of taking care of the consumers
who had been harmed, enhancing network security and customer service, in addition to the
hacking investigation. The following section of this case study provides a brief overview of the
anticipatory model of crisis management, which is used in this case. To assess the efficacy of
Sony's handling of the Case of PlayStation hacking. I. (South-Western College Publishing, Ohio,
2001).
Discussion
Sony has issued a warning that the names, addresses, and other personal information of
approximately 77 million people who have accounts on its PlayStation Network (PSN) have been
stolen.
Gamers have been locked out of the network for a week, but the company has revealed that the
system has been suspended since last Wednesday, when it was hacked. . B. Olaniran, D.
Williams, and W. Coombs (Peter Lang, NY, 2012), pp. 13-17.
Sony said that between April 17 and 19, a "illegal and unauthorized person" gained access to
people's names, addresses, email addresses, birthdates, usernames, passwords, logins, security
questions, and other information.
Children with accounts set up by their parents may also have had their data compromised,
according to Sony, which issued a warning on its US PlayStation blog – though the warning
about the compromise may not be immediately visible to passing readers. People who may be
affected are also being emailed by the company.
The intrusion could be one of the largest ever into a credit card store. Sony's PSN is one of
the world's largest credit card holders, though not as large as Amazon, eBay, PayPal, or Apple's
iTunes, which each have over 100 million accounts.
Heartland Payment Systems was hacked in January 2009, and up to 100 million US credit
and debit card details were stolen. TK Maxx was hacked in March 2007, and up to 46 million
credit card details were stolen.
The company stated that it found no evidence of credit card numbers being stolen, but added,
"Out of an abundance of caution, we are advising you that your credit card number (excluding
the security code) and expiration date may have been obtained."
The online marketplace, which debuted in the autumn of 2006, allows users to buy and play
video games, music, and movies on their PlayStation consoles.
The hack attack has rendered it inoperable, and it may be up to a week before it is
operational again. Sony stated that it had hired an outside security firm to investigate what
occurred and that it has begun to rebuild its system to provide greater protection for personal
information.
Sony warned network users to be wary of phone and email scams, saying, "To protect against
possible identity theft or other financial loss, we encourage you to remain vigilant in reviewing
your account statements and monitoring your credit or similar types of reports."
PlayStation Network issued an apology to users via the Sony website, stating that those
suspected of being victims of the hacking would be contacted via email.
"We don't have an exact date to share at this time as to when we will have the services turned on,
but we are working day and night to ensure it is as soon as possible," the statement said.
According to Graham Cluley, senior technology consultant at security firm Sophos, the theft of
such detailed customer information would be a "public relations disaster."
Crisis Management Model Based on Anticipation
An organizational crisis is defined as an unforeseeable or significant threat that could have a
negative impact on the organization's, industry's, or stakeholders' credibility. 7-9. In essence, a
crisis is defined as an event that jeopardizes one's safety, customers, or community, or threatens
to destroy public trust in the organization, thereby harming the company's reputation10. As a
result, effective crisis management entails a proactive approach that includes prevention,
particularly during the pre-crisis phase7, 11-13. To meet this need, the anticipatory model of
crisis management was developed.
The anticipatory model of crisis management (AMCM) was originally developed to address
crisis and crisis management at the outset rather than after the fact. The AMCM contends that,
while one may not be able to prevent all crises from occurring, a focus on crisis prevention is
essential preventing this from happening should remain a top priority. The anticipatory model's
central position is that significant efforts should be made to put in place programs that assess
potential crisis triggering factors, such as human error and natural disaster, among others,
while also putting in place appropriate plans to deal with any crisis if and when it occurs. The
original formulation of AMCM was intended to address crises caused by organizational use of
technology12. However, the AMCM has been extended beyond technology to other types of
crises, and the new anticipatory orientation toward crisis management has shifted the starting
point for crisis evaluation13. The definition of crisis reflects the belief that crisis prevention not
only protects the public's health and safety, but also preserves the public's trust in organizations
to prevent crises by ensuring the safety of their products and the honesty of their business
practices and communication with the public, all while demonstrating good citizenry in the
community in which these organizations exist or operate. In terms of public safety, the
anticipatory model implies that best practices are maintained through competent communication
both within the organization and with the general public.
The AMCM's basic premises and assumptions are comprised of three major factors:
expectations, enactment, and control. The expectation principle is concerned with the
assumptions that people make about specific events. 12, 14, and 16 Expectations about the
likelihood of a crisis, for example, would determine whether or not a provision was made to
implement a preventive action or countermeasure. However, it stands to reason that assumptions
based on expectation have the potential to become self-fulfilling. For example, if organizational
decision-makers believe that a specific technology is fail-safe, they may err and relax safety
mechanisms and measures, such that additional countermeasures become an afterthought and
are never implemented to create the necessary buffer or redundant procedures. 12.
In terms of enactment, the assumption is that the very action that enables people and
organizations can also cause destruction18. This concept is related to the principles of
enactment and expectations, which are relevant to the anticipatory model12-15. Enactment is
concerned with the process by which a specific action is carried out19. The concept of enactment
was eventually extended to the consequences of those actions18 Failure to implement a crisis
plan, for example, may have a negative impact on the eventual or subsequent crisis management.
The model contends that the concept of "anticipation" (of crisis) in and of itself is an action,
because it determines the subsequent choices an organization makes based on available
information, with enactment conceived as a retrospective sense-making process. This claim is
supported by the fact that decision-makers, particularly organizational leaders, frequently find
themselves in situations where they must anticipate opportunities, threats, and weaknesses in
their environment and then take appropriate measures to protect their interests. As a result, the
model asserts that different outcomes would result from decision-makers' actions or inactions
with anticipation.
Methods
Case studies are a common method in crisis management research. This project made use of
a case study centered on Sony PlayStation. The researchers used and examined publicly
available news materials from media outlets, such as news reports and stories. The news
materials are examined in an attempt to trace the sequence of events in the Sony PlayStation
hacking crisis. The researchers assessed Sony's decisions during the crisis using the tenets of the
AMCM model. Case studies are the process of thoroughly examining detailed information
surrounding a specific event or phenomenon, such as the Sony crisis22-24. The study's goals
were to identify the specific mistakes Sony made in handling its crisis. As a result, the series of
decisions in the Sony PlayStation hacking case were arranged on a timeline in order to better
explore the case as a whole. A timeline arrangement helps researchers track the steps and
narrow down the areas where the organization made mistakes.
Furthermore, the timeline technique provides a methodological approach that makes use of
the assumptions and ideas of the anticipatory model of crisis management (AMCM), which were
used to investigate and evaluate Sony's PlayStation hacking crisis communication and
management. As a result, the study analyzed and evaluated accessible news materials using the
AMCM lens. The implications and limitations of the case study were offered as a result of the
analysis. The section that follows assesses the Sony PlayStation hacking crisis.
Sony PlayStation Hacking Case Analysis and Evaluation
There are four separate instances where the tenets of the AMCM apply to how Sony handled
the PlayStation Network intrusion situation. For starters, Sony did not notify customers about
the breach until a week after the hackers had infiltrated the network. Furthermore, Sony failed to
notify customers that their credit card information had been stolen or compromised. Sony, on the
other hand, stated that they do not believe financial information was stolen. Second, when Sony
discovered a possible security breach, it did not immediately shut down the network. Third, Sony
falsely accused a hacker group without proper evidence. Fourth, Sony set a deadline for the
network to be fully operational again, which was not met. All four of these network crisis
components provide ample information for organizations to better prepare if they learn through
the AMCM.
The first aspect of the Sony PlayStation hacking crisis is illuminated by enactment and
expectations. Consumers expect corporations to protect their credit card information when they
purchase a product, which is a major factor in the first element of the Sony crisis. Sony, on the
other hand, failed to meet the expectation principle because credit card information was stolen
from 12 million members2 and hackers threatened to sell the information. Expectations were
also not met in regards to the security breach, as Sony did not immediately notify its customers
that a security breach had occurred. Sony waited one week after the initial breach to notify
anyone outside of the organization. When it was discovered that the hackers stole credit card
information during the breach, it meant that there was an entire week during which the
information of millions of customers was in the hands of hackers and consumers were unable to
protect themselves. Consumers, like the previous point, expect to be notified if there is even the
slightest possibility that their confidential information is at risk. Sony failed to meet consumers'
expectations when it did not act quickly and prudently on the information it possessed.
Limitation
This case study has a few limitations. To begin with, the current study employs a case study
methodology. A case's generalization The study is difficult and should be approached with
caution23. Future research should be carried out to further analyze the detailed data in order to
apply a general conclusion to a large population “Huffington Post, (2011, May 4)”.
Nonetheless, the analysis of the Sony PlayStation hacking crisis teaches other companies that
are vulnerable to hacking or theft of user information what to do and what not to do when
dealing with a crisis of this nature.
Second, a comparison of similar crises could produce more influential results. Perhaps by
contrasting how Sony has handled previous crises with the PlayStation hacking crisis, a pattern
revealing how Sony handles crises in general will emerge. A compare/contrast method, on the
other hand, would yield information proving Sony made serious mistakes only during the
PlayStation hacking crisis.” Huffington Post, (2011, May 4)”
Conclusion
When it came to handling the 2011 hacking crisis, Sony made four major mistakes. First, Sony
did not notify its customers about the breach until a week after it occurred, and Sony also did not
notify customers that credit card information may have been stolen. Second, Sony did not
immediately take action to shut down the network. Third, Sony falsely accused a hacker group
without proper evidence. Finally, Sony set a deadline for the network to be fully operational
again, which was missed. It is demonstrated how to prevent the same mistakes from happening to
another company by applying each of these missteps to the AMCM. A proper pre-crisis
communication management plan is essential for dealing with crises, and using the AMCM is
one way to achieve this goal. Implementing the AMCM as a pre-crisis focused strategy can boost
consumer and shareholder confidence, as well as its adaptability in dealing with human nature,
and thus may help save the company's reputation.
References
Sony's J. Tessler explains the PlayStation network hack to Congress. The Huffington Post (2011,
May 4)
van der Meer, T. G., & Jin, Y. (2020). Seeking formula for misinformation treatment in public
health crises: The effects of corrective information type and source. Health
Communication, 35(5), 560-575.
Morehouse, J., & Saffer, A. J. (2019). Illuminating the invisible college: An analysis of
foundational and prominent publications of engagement research in public relations. Public
Relations Review, 45(5), 101836.