Sony's Latest Statement on ID-Data Loss: A Classic of the Corporate Non-Apology

After a month of security breaches of its various entertainment networks, Sony (SNE) CEO Howard Stringer apologized to the roughly 100 million accounts that were affected. But how much mileage can Sony get from such a belated and inadequate action, particularly if a rumored third attack takes place this weekend? Or even if not, given the mounting inquiries by more government groups than you knew existed?

On first blush, Stringer's apology letter seemed soothing enough, at least if customer comments on his post were any indication. Of course, 110 posted remarks (as of the time of writing) don't come close to representing the many tens of millions affected, and there are plenty of reasons to think Sony's reign of error hasn't yet ended on this subject.

Slow as molasses in a New England winter
Not all the reader comments were understanding. Some asked an obvious question: Why the heck did it take Sony so long to say anything to customers? Stringer attempted to address the glacial pace:

I know some believe we should have notified our customers earlier than we did. It's a fair question. As soon as we discovered the potential scope of the intrusion, we shut down the PlayStation Network and Qriocity services and hired some of the best technical experts in the field to determine what happened. I wish we could have gotten the answers we needed sooner, but forensic analysis is a complex, time-consuming process. Hackers, after all, do their best to cover their tracks, and it took some time for our experts to find those tracks and begin to identify what personal information had -- or had not -- been taken.

• Contact each account to say there may have been theft of customer data.
• Explain the amount of time it will likely take to have forensic experts unravel what went wrong and what was compromised and promise further communication.
• Keep in regular touch after steps are done or when they were supposed to be done, so no one feels powerless, waiting for word.

Still, that's where Sony is putting down its chips. Instead of saying when services would again be available, Stringer said that the company would restore service "in the coming days." Is that this week? Next? Next month? Better to give a hard and fast date far enough in advance that you have time to do what is necessary. Then if you're done earlier, people get a pleasant surprise.

"Sorry" in Japanese now means, let's upsell you
Sony's response to customers is really little more than crafted PR intended more for its own benefit than for its customers. Here's what Sony is offering its customers:

• a one year, $1 million identity theft insurance policy
• a free month of PlayStation Plus membership for all PlayStation Network members
• extension of PlayStation Plus and Music Unlimited subscriptions to make up for time lost

What Debix really wants to do is "cyber monitoring and surveillance of the Internet to detect exposure of [a] customer's personal information, including monitoring of criminal web sites and data recovered by law enforcement." Uh, right. Cyber criminals capable of stealing tens of millions of identities without alerting anyone as they do it aren't likely to dispose of the information in a way that law enforcement or Debix will hear.

"By the time they find out about it or you find out about it, it could be more than a year," said Mari Frank, an attorney and expert in identity theft, on a phone interview. (Disclosure: I edited her book Complete Idiot's Guide to Recovering from Identity Theft.) And if so, the affected Sony customer is out of luck, as their insurance will have lapsed.

Furthermore, the major steps in combating identity theft involve using credit reports, statements from financial institutions, and other relevant information that can offer a clue of ongoing identity theft, whether new accounts you didn't request or charges you didn't authorize. In fact, given how identity theft has developed, Frank says that credit monitoring alone isn't enough anymore. "What's scarier is opening up bank accounts in these people names or medical identity theft." None of that even shows up on credit reports.

Without telling people how to take the necessary steps, Sony pretends that everything will be fine. After all, if you tell people what they really need to know, they might -- you know -- get upset and not spend more money with you.

Regarding the free month of PlayStation Plus membership, it's no more than a trial period to get someone interested enough to pay for an ongoing subscription. As one person wrote:

A question, the non-Plus-user who is granted the free PSN+ month will be unable to use the free-Games/DLC as soon as their free-month expire? If that so, it seems to me only as a PR stunt instead of a really reward to those users.

It will never happen again (crossing fingers)
As John Kador, an expert in the apology process, notes, two of the most important points of a corporate apology are to take responsibility for the problem and to promise never to let it happen again. Sony only apologized for the "inconvenience and concern caused by this attack," not for the obvious lack of security that enabled it.

According to Erica Ogg at our sister site CNET, chatter on a hacker Internet Relay Chat channel suggests another wave of attacks on Sony this weekend:

The people involved plan to publicize all or some of the information they are able to copy from Sony's servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony's servers.

Related:

• Sony's Security Snafu: How Other Companies Can Make Hay of Its Total Cock-Up
• Sony Plays Its Chump Card: Lack of Security Makes the Xbox Look Good
• The Epsilon Email Break-In: A Bad Break for The Cloud
• It's Way Past Time for Corporations To Stop Hiding Security Problems
• A PlayStation Phone Won't Fix Sony's Gaming Businessd
• Gaming Companies, Like Much of High Tech, Often Don't Understand Customers