








Pittsburgh Post-Gazette
“You probably heard about Sony’s PlayStation Network hack if you glanced at the internet, television or even newspaper in the past week. It was such big news even news sources like Fox News, ones that usually reserve video game news for exaggerating the indecencies of the latest mature title, discussed the security breach ad nauseam.
To say the hackers did damage to Sony would be the understatement of the year. They crippled the network, knocking it out of commission for a little over a week, and the hackers had access to about 77 million users personal information, including credit card data.”




DATES: April 17-19, 2011
SITUATION: Hackers illegally access Sony PlayStation Network
& Qriocity Services which has 77 million registered users data with over 12 million accounts containing credit card information.
PUBLIC NOTIFICATION(S):
 Brief (April 22, 2011)


 Formal (April 26, 2011)
FINANCIAL IMPACT: Sony shares fall by more than 5%.
Unknown amounts still need to be determined for resolving problem and compensating consumers.
FEEDBACK: Public questions company’s security and response, governments discuss regulatory environment, and lawsuits are filed.




Founded in 1946 by Engineer Masaru Ibuka and physicist Akio Morita
Company begins as Tokyo Telecommunications
Engineering Corporation named “Totsuko”
Initial products: portable radios, tape recorders, electric rice cookers


Initial functions: build and repair electrical equipment
Enters North American market in 1950s
(Latin word meaning sound or sonic)
(English term denoting youth & excitement)
Sony
 Large recognizable divisions: Sony Pictures, Sony Computer
Entertainment, Sony Electronics, Sony Ericsson, Sony Music, Sony
USA

 1980s – CD technology developed with Philips
 1988 – Partnership built with Nintendo to develop cartridge/cd gaming system called
“PlayStation”



Early 1990s – Sony & Nintendo disagree on direction and disbands partnership
1994 – Sony releases cd-only gaming system called the “PlayStation X”
1995 – Sony Computer Entertainment division is created and headquartered in Sunnyvale, CA
 Mid 2000s – Latest version of PlayStation called PS3 arrives with “Bluray” disc technology, wireless internet access, internal storage, digital video & audio outputs, and general navigation menu

NINTENDO:


Wii Sales: $754M
Portable (DS &
3DS) Sales: $827M
SONY:
 PS3 Sales: $439M
 PlayStation Portable
Sales: $297M
*Please note that sales numbers only represent combined hardware and software numbers without additional subscription revenue, etc.
MICROSOFT:
 Xbox 360 Sales -
$535M

Release
• Business Briefing Meeting 2006 in
Tokyo
• Brought on as part of PS3 news
Specifications
Registration &
Access
• Multi-player gaming, internet, & chat
• System updates; downloads and streaming of multimedia
• Free user registration
• Access via PlayStation 3, PlayStation
Portable, or PC
Transactions
• Paid for using electronic funds
• Originally done through tickets but now pre-paid & credit cards are okay
Users
• 77 million registered online worldwide as of 4/30/11

4/19: Illegal activity is detected in network.
4/21: Sony retains services of external security firm.
BREACH
4/20:
Engineers discover intrusion evidence and shut down
PSN.
4/22: Sony provides
FBI info and comments on blog without discussing data loss.
4/23:
Forensic teams confirm advanced attack and notifies public.

4/24: Sony continues work with forensics on server problems.
4/25: Global credit card info loss cannot be confirmed.
DIAGNOSIS
4/25:
Account details
(name, address, email, password, etc.) are confirmed stolen.
4/26: Kaz Hirai, head of Sony gaming, appears at news conference for tablet pc’s without taking PSN questions.

4/26: Sony emails consumers with detailed hack info.
4/27: Shares fall
2% on news of potential data loss and first lawsuit filed against company.
FALLOUT
4/26-4/27:
Sony begins notifying regulatory entities of breach.
4/28:
Shares drop
4.5% in
Tokyo.
4/29: Sony refutes claims of
2.2 million credit card accounts stolen.

 CNN reported that “Gamers (are) fuming”
+sid4peeps : “This update is 6 days LATE. I think it is time to move to the other network, no regard for customers here”
+Korbei83 : “If you have compromised my credit information, you will never receive it again.
The fact that you’ve waited this long to divulge this information to your customers is deplorable. Shame on you”
+tazinlwfl : “…I love my PS3. I really like Sony and I support the developers 100%, but this really tests everyone’s patience.
It really tests my patience.”

“PSN being out definitely affects our bottom line… but as long as the people who were going to be playing… get right back in there playing… we’ll be happy and hopefully
“Our belief is that whilst this is terrible news… it won’t affect the user base too much.”
Stewart Gilray, Just Add
Water
“We have our first selffunded, self-published
PSN game,… coming out next week, so from our point of view , the fact that the network isn’t income won’t be dented
too much.” Dylan
Cuthbert, Q-Games
Developer available is a big
concern.” Lol Scragg,
Cohort Studios
Founder
“From my perspective, the bigger issue is not about PSN, but confidence in digital distribution generally.”
Ste Curran, Zoe
Mode Creative
Director

Senator Rick Blumenthal
(D-Connecticut)
“I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.”

• UK’s Information Commissioner
• Researching PlayStation Hack
• Has power to fine companies ₤ 500,000 for serious data breaches
• Canada’s Privacy Commissioner
• Currently investigating Sony to determine whether it has violated any privacy laws
International

“This action arises from SONY’s failure to maintain adequate computer data security of consumer personal data… Subsequent to the compromise of private consumer information and financial data, Defendant unduly delayed or failed to inform in a timely fashion the appropriate entities…”
Kristopher Johns v. Sony Computer
Entertainment America
“Because of Defendant’s actions, millions of their customers have had their Financial Data,
Personal ID, and Usage Data compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages.”
Rebecca Mitchell v. Sony Computer
Entertainment America

Payment Card Industry – Data Security Standard (Requirements)
• Maintain a Firewall
• Don’t use vendor-supplied
• Restrict access to need to
• default system passwords
Protect cardholder data
• Encrypt transmission across open , public networks
• Use and update anti-virus software
• Maintain a policy that addresses information security know
• Assign a unique ID
• Restrict physical access to cardholder data
• Track and monitor all access to network resources
• Regularly test security systems
• Develop and maintain secure systems and applications
=> Laws vary greatly from state to state

SCENARIO
RESPONSE
ADDITIONAL
INFORMATION
12/22/07 – Microsoft’s Xbox
Live service went down for 13 days due to a server crash.
03/30/11 – Epsilon discovered that its network had been breached
Free downloadable arcade games to members valued at roughly over $80M
04/01/11 – Official press release issued notifying public
01/03/08 – Microsoft was notified that they were the subject of a $5 Million class action suit
Clients (Kroger, JP Morgan,
Capital One) customer data was stolen
“…greatest risk to Epsilon and
Alliance Data is the potential loss of clients”

 What are the critical issues in this case? Who are the stakeholders?
 What can Sony learn from other similar scenarios?
 How will Sony compensate PSN consumers for this malfunction?
 How can Sony not lose consumer confidence in products?
 How should Sony handle the regulatory environment surrounding data theft protection?
 What communications should Sony make and to whom?