Sony

The virtual battlefields of cold war Russia, Cuba and Vietnam have fallen quiet. The bands of trigger-happy youths who roam their shattered cityscapes and blasted wastelands have not been seen for more than a week.

This is what happens when the busiest network for video game players goes dark. With Sony’s PlayStation Network offline after succumbing to a break-in, acolytes of games such as Black Ops – the latest, billion-dollar instalment in the Call of Duty battle saga – can no longer congregate in virtual war zones to forge alliances and find enemies to slay.

For some, accustomed to losing loved ones to prolonged bouts of game-playing, this will bring blessed relief. But it also highlights an altogether nastier outbreak of hostilities.

Sony took the network offline on April 19 after discovering that the personal details of its 77m members – in­cluding names, e-mail addresses, user IDs and passwords – had been ob­tained by an unknown hacker. It later said users’ credit card details might also have been taken. The company did not issue a general alert about the intrusion until April 26.

Even after that, it was not until April 28 that users such as Louis, an occasional game-player from New York, were contacted directly about the security breach. The 25-year-old, who asked for his last name not to be used, dismisses this performance as “pathetic”. “It’s upsetting they didn’t inform us about the risk,” he says. “Do they even care about customer information security? Appears not.”

The privacy violation at Sony has hit a sensitive nerve, and not just because of the way it has been handled. Games networks are emerging as one of the main fronts in the war for the digital living room. They not only connect players to each other but also enable them to rent movies, listen to music and talk to their friends. For Sony in particular, there is little of greater strategic importance.

The Japanese company has long dreamt of connecting its many consumer devices in ways that increase their value to more than the sum of their parts. The PlayStation Network has become “the shining diamond” of this strategy, says Professor Michael Cusumano of Massachusetts Institute of Technology, who worked with Sony on one of its recent networking initiatives. However, he says, in general, it is stuck in a world of stand-alone hardware, putting it far behind American rival Apple.

Gaming has assumed an increasingly central role for Sony as it has lost ground in consumer electronics categories it once dominated, such as televisions and portable music players. Last month it anointed Kazuo Hirai, head of its networked products group, which includes PlayStation, the presumptive successor to Sir Howard Stringer, president and chief executive. In the quarter to December, Mr Hirai’s group earned Sony profits of Y45.7bn ($553m), nearly twice as much as Sony’s more traditional electronics. In the case of PlayStation, use of the network is free for owners of the console, but users often pay for extras such as new levels for games or movie rental direct from Sony.

Gamers are “probably the most loyal customers they have”, says Michael Pachter, an analyst at Wedbush Morgan in Los Angeles. “That’s what makes it doubly bad.” He notes that “there are more than 70m users who are going through the psychological pits right now” as they endure withdrawal symptoms.

To some, this case is simply another example of how vulnerable big companies are to determined hackers. “It’s hard to come down hard on Sony,” says Mr Cusumano. “Everyone has breaches of security on the internet.”

Some of the biggest names in corporate America, from JPMorgan Chase to Citibank and Target, the general retailer, were embarrassed last month when they had to admit that their customer lists had been stolen from Epsilon, a company they had all used to handle their e-mail marketing lists.

But the debacle has left many uncomfortable questions. At the very least, security experts say, Sony should have been on its guard after Anonymous, the activist hacking collective, declared it a target in early April, angered by its lawsuit against a tinkerer who modified his PlayStation games console.

There may have been early warning of the damage to follow. Sony suffered a far more serious breach of its systems in early April than it suggested at the time, according to one person familiar with problems, but did not take the network down at that point. Sony did not respond to requests for comment.

And while Anonymous was probably not behind the latest and most devastating attack, chat logs that show communication between hackers on the internet reveal that they were busy probing the company’s defences, says Gartner security analyst John Pescatore.

The breach in Sony’s systems appears to have been caused by an elementary technical failure, says Paul Kocher, president of Cryptography Research, a San Francisco-based security technology company. The software in its games consoles had failed to produce the secure link to the company’s servers needed to keep out intruders, he says – the sort of mistake that should not have slipped through internal scrutiny.

Mr Kocher adds that Sony’s information security team is far smaller than those of other big technology concerns that operate secure networks for mass consumer markets. The company declined to comment.

For most non-gamers, meanwhile, it will be easy to put the Sony mess aside with barely a thought. Such digital break-ins have become familiar, and for most consumers online life goes on as before.

That attitude may eventually become untenable. As the amount of personal data stored online grows, so too have the incentives to steal it. The uses to which it is being put are becoming increasingly insidious. “There’s more to take, and it’s more valuable,” says Bruce Schneier, a well-known security author.

Credit card details, which are being collected online in ever larger numbers, are the most visible sign of this. The biggest internet companies are in a race to collect payment details from the greatest number of consumers as they seek to tie their users into closer relationships – as demonstrated by Apple chief executive Steve Jobs’ recent boast that his company, with more than 200m credit card accounts, probably now has more than any other online business.

It is impossible to link breaches of credit card data security with subsequent instances of fraud. Pelham Smithers, an independent analyst who follows Sony, says the biggest problem for the company could be “coincidence risk”. Even if the hacker did not manage to steal anyone’s financial keys, he reasons, “the chances of at least one in 77m people having his identity stolen is quite high”.

The coincidences can indeed be striking. Darren Yeagle, 24, a PlayStation user from Louisville, Kentucky, heard about the Sony breach when it was announced on Tuesday. The next day, he says, his bank called to query a credit card payment of nearly $900 he had supposedly made to an online clothing site called Dr Jay’s – a transaction of which he had no knowledge.

Sony said it had encrypted its credit card data, meaning it could be read only by someone with the right code. It has not been able to confirm whether any of these data were taken.

Meanwhile, theft of credit card data is starting to be overtaken by that of other types of personal information as the amount stored online explodes. That may be because most of the world’s low-hanging credit card fruit has already been plucked. There were no reports of large-scale intrusions in 2010, suggesting security had become tighter.

These days customer lists maintained by online companies, especially those containing passwords and other valuable security-related information, are a particular target, says Avivah Litan at Gartner. Armed with the answers to questions such as “What is your mother’s maiden name?”, criminals are able to impersonate users more widely on the internet. Roughly two-thirds of internet users use only one or two different personal passwords – with some slight variations – on all the sites they visit, according to Gartner research.

With personal information such as this to hand, it is easier to devise e-mails intended to trick a single person. This “spear phishing” is the most popular way to win entry to big companies’ systems. And when a consumer uses a standard password on their online bank account, it becomes easier to take money without resorting to credit card fraud, experts say.

So will the Sony breach – particularly as it involves such a well-known consumer brand – cause users such as Darren to think twice about using its services in future? “Probably not,” he says. “It’s just a problem that happened. I think Sony will eventually get [the network] up and running.”

The response is fatalistic and pragmatic. “You give your data to airlines, to mobile companies, to Sony, and there’s nothing you can do to protect yourself,” says Mr Schneier. “You have no say in how they treat it.”

That leaves users with few options. But it is probably still worth varying your passwords, thinking up some new security questions – and hoping for the best.

Additional reporting by Jonathan Soble and Joseph Menn

Get alerts on Sony Corp when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Comments have not been enabled for this article.

Follow the topics in this article