The Sony PlayStation Network Crash AGENDA The Crash Company History Gaming PlayStation Network Timeline of Crash Reactions Considerations What’s Next? NEWS FLASH Pittsburgh Post-Gazette “You probably heard about Sony’s PlayStation Network hack if you glanced at the internet, television or even newspaper in the past week. It was such big news even news sources like Fox News, ones that usually reserve video game news for exaggerating the indecencies of the latest mature title, discussed the security breach ad nauseam. To say the hackers did damage to Sony would be the understatement of the year. They crippled the network, knocking it out of commission for a little over a week, and the hackers had access to about 77 million users personal information, including credit card data.” CRASH BACKGROUND DATES: April 17-19, 2011 SITUATION: Hackers illegally access Sony PlayStation Network & Qriocity Services which has 77 million registered users data with over 12 million accounts containing credit card information. PUBLIC NOTIFICATION(S): Brief (April 22, 2011) Formal (April 26, 2011) FINANCIAL IMPACT: Sony shares fall by more than 5%. Unknown amounts still need to be determined for resolving problem and compensating consumers. FEEDBACK: Public questions company’s security and response, governments discuss regulatory environment, and lawsuits are filed. COMPANY ORIGINS Founded in 1946 by Engineer Masaru Ibuka and physicist Akio Morita Company begins as Tokyo Telecommunications Engineering Corporation named “Totsuko” Initial products: portable radios, tape recorders, electric rice cookers Initial functions: build and repair electrical equipment Enters North American market in 1950s Sonus Sonny Boy (Latin word meaning sound or sonic) (English term denoting youth & excitement) Sony Large recognizable divisions: Sony Pictures, Sony Computer Entertainment, Sony Electronics, Sony Ericsson, Sony Music, Sony USA GAMING HISTORY 1980s – CD technology developed with Philips 1988 – Partnership built with Nintendo to develop cartridge/cd gaming system called “PlayStation” Early 1990s – Sony & Nintendo disagree on direction and disbands partnership 1994 – Sony releases cd-only gaming system called the “PlayStation X” 1995 – Sony Computer Entertainment division is created and headquartered in Sunnyvale, CA Mid 2000s – Latest version of PlayStation called PS3 arrives with “Blu- ray” disc technology, wireless internet access, internal storage, digital video & audio outputs, and general navigation menu CONSOLE GAMING MARKET NINTENDO: Wii Sales: $754M Portable (DS & 3DS) Sales: $827M SONY: PS3 Sales: $439M PlayStation Portable Sales: $297M *Please note that sales numbers only represent combined hardware and software numbers without additional subscription revenue, etc. MICROSOFT: Xbox 360 Sales - $535M THE PLAYSTATION NETWORK Release • Business Briefing Meeting 2006 in Tokyo • Brought on as part of PS3 news Specifications • Multi-player gaming, internet, & chat • System updates; downloads and streaming of multimedia Registration & Access • Free user registration • Access via PlayStation 3, PlayStation Portable, or PC Transactions • Paid for using electronic funds • Originally done through tickets but now pre-paid & credit cards are okay Users • 77 million registered online worldwide as of 4/30/11 TWO LONG WEEKS 4/21: Sony retains services of external security firm. 4/19: Illegal activity is detected in network. BREACH 4/23: Forensic teams confirm advanced attack and notifies public. 4/20: Engineers discover intrusion evidence and shut down PSN. 4/22: Sony provides FBI info and comments on blog without discussing data loss. TWO LONG WEEKS 4/24: Sony continues work with forensics on server problems. DIAGNOSIS 4/25: Global credit card info loss cannot be confirmed. 4/25: Account details (name, address, email, password, etc.) are confirmed stolen. 4/26: Kaz Hirai, head of Sony gaming, appears at news conference for tablet pc’s without taking PSN questions. TWO LONG WEEKS 4/26: Sony emails consumers with detailed hack info. FALLOUT 4/29: Sony refutes claims of 2.2 million credit card accounts stolen. 4/27: Shares fall 2% on news of potential data loss and first lawsuit filed against company. 4/26-4/27: Sony begins notifying regulatory entities of breach. 4/28: Shares drop 4.5% in Tokyo. REACTION – CONSUMERS CNN reported that “Gamers (are) fuming” +sid4peeps: “This update is 6 days LATE. I think it is time to move to the other network, no regard for customers here” +Korbei83: “If you have compromised my credit information, you will never receive it again. The fact that you’ve waited this long to divulge this information to your customers is deplorable. Shame on you” +tazinlwfl: “…I love my PS3. I really like Sony and I support the developers 100%, but this really tests everyone’s patience. It really tests my patience.” REACTION – DEVELOPERS “PSN being out definitely affects our bottom line… but as long as the people who were going to be playing… get right back in there playing… we’ll be happy and hopefully income won’t be dented too much.” Dylan Cuthbert, Q-Games Developer “Our belief is that whilst this is terrible news… it won’t affect the user base too much.” Stewart Gilray, Just Add Water “We have our first selffunded, self-published PSN game,… coming out next week, so from our point of view , the fact that the network isn’t available is a big concern.” Lol Scragg, Cohort Studios Founder “From my perspective, the bigger issue is not about PSN, but confidence in digital distribution generally.” Ste Curran, Zoe Mode Creative Director REACTION – GOVERNMENT Senator Rick Blumenthal (D-Connecticut) Domestic “I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.” REACTION – GOVERNMENT Christopher Graham • UK’s Information Commissioner • Researching PlayStation Hack • Has power to fine companies ₤500,000 for serious data breaches Jennifer Stoddart • Canada’s Privacy Commissioner • Currently investigating Sony to determine whether it has violated any privacy laws International LAWSUITS “This action arises from SONY’s failure to maintain adequate computer data security of consumer personal data… Subsequent to the compromise of private consumer information and financial data, Defendant unduly delayed or failed to inform in a timely fashion the appropriate entities…” Kristopher Johns v. Sony Computer Entertainment America “Because of Defendant’s actions, millions of their customers have had their Financial Data, Personal ID, and Usage Data compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages.” Rebecca Mitchell v. Sony Computer Entertainment America LAWS & REGULATIONS Payment Card Industry – Data Security Standard (Requirements) • Maintain a Firewall • Restrict access to need to • Don’t use vendor-supplied know default system passwords • Assign a unique ID • Protect cardholder data • Restrict physical access to • Encrypt transmission across cardholder data open , public networks • Track and monitor all access • Use and update anti-virus to network resources software • Regularly test security • Maintain a policy that systems addresses information • Develop and maintain secure security systems and applications => Laws vary greatly from state to state SIMILAR SITUATIONS SCENARIO 12/22/07 – Microsoft’s Xbox Live service went down for 13 days due to a server crash. 03/30/11 – Epsilon discovered that its network had been breached RESPONSE Free downloadable arcade games to members valued at roughly over $80M 04/01/11 – Official press release issued notifying public ADDITIONAL INFORMATION 01/03/08 – Microsoft was notified that they were the subject of a $5 Million class action suit Clients (Kroger, JP Morgan, Capital One) customer data was stolen “…greatest risk to Epsilon and Alliance Data is the potential loss of clients” WHAT NEXT? What are the critical issues in this case? Who are the stakeholders? What can Sony learn from other similar scenarios? How will Sony compensate PSN consumers for this malfunction? How can Sony not lose consumer confidence in products? How should Sony handle the regulatory environment surrounding data theft protection? What communications should Sony make and to whom?