Revisiting the Great Sony Hack of 2011
As companies continue to innovate and find new ways to effectively leverage technology, data has transformed to become more than just a by-product of doing business; in fact, in many ways it has become the product itself. It is clear that in this ever-changing technical climate of today’s economy, the integrity and security of data is more important than ever before. With that in mind, companies must also realize that the strategy and governance of data must be considered if an organization is to be successful in managing their data. As recent accounts illustrate, companies face dire consequences if they do not take great care when considering not only the security of their data, but also the implementation of their security programs.
One such example of a company encountering the consequences of a large-scale data breach is that of Sony in 2011. In April of 2011, hackers obtained personal information, including credit card numbers and bank routing information from over 100 million Playstation Network (PSN) users (Laudon & Laudon, 2016). The breach had far-reaching negative outcomes; some of which did not appear until years later. This article aims to explain the types of breaches experienced by Sony; the consequences of those breaches; the impact the breaches had on Sony’s brand and reputation; and analyze Sony’s previous and current security practices.
Types of Breaches
What makes the 2011 Sony breach unique is that two separate types of incidents occurred. First, Sony was hit with a Denial of Service (DoS) attack – an attack that left PSN services inaccessible by customers. A Denial of Service attack by its very definition is an attempt to compromise the availability of a service by exhausting a critical resource associated with a service, such as bandwidth (Stallings & Brown, 2012). In this case, the hackers were successful in bringing down Sony’s network, limiting the ability of millions of customers to access their paid services. While Sony was hard at work recovering from the DoS attack, the hackers then executed a classic data breach which resulted in the release of otherwise secure information (Gaudiosi, 2014). The hackers claimed to be from a group called LulzSec; they were a faction of bad actors who splintered from the larger collective known as Anonymous. All in all, the hackers obtained sensitive personal data for over 100 million Sony customers.
Sony experienced a wide variety of both non-economic and economic negative consequences as a result of the breach. Non-economic consequences include damage to the company’s reputation and brand, as well as a loss of trust with its customer base. These non-economic consequences directly correlate with financial consequences, as some estimates have the net economic impact, including potential future costs and losses in capitalization, as high as $24.5 billion in losses (PWC, 2011). A large portion of this estimate comes from the potential loss of revenue due to customer mistrust. While that estimate may seem high, it is easy to see that financial losses add up quickly; and that figure is not considering the actual costs to consumers as a result of the identity theft. Not including the future impact yet to be seen, some estimates have the breach costing Sony and credit card issuers up to a total of $2 billion (Laudon & Laudon, 2016).
Reputation and Customer Confidence
As described above, the attacks and breaches took its toll on Sony’s reputation and brand name. In fact, an attack of this nature had never before occurred in the gaming industry (Gaudiosi, 2014). As a result, gamers were left incredibly wary of Sony’s online services, and by extension, their products. Making matters worse, was that the hack coincided with Sony’s push to market the Playstation 3. While the breach was not the sole reason for the failure of the Playstation 3, the console never recovered and quickly lost market share to competitors from Microsoft and Nintendo. The Playstation 3 is now widely seen as the loser of that generation’s console wars.
Since then, Sony has worked hard to re-gain the trust of its gaming customer base through clever marketing, a re-vamped security strategy, and quality products. Today, Sony again leads the gaming market with its latest console, the Playstation 4. Perhaps the largest step Sony took to restore customer confidence and address the security issues was adopting a comprehensive strategic framework for protecting customer data. Their strategic framework now includes the following:
2) Risk Management
3) Integrated Security
4) Incident Management
5) Continuity Planning (PWC, 2011).
Security Practices and Response
In hindsight, it is easy to criticize Sony for their failure to prevent such a massive breach. In fact, Sony themselves have admitted that the breach occurred due to a known vulnerability (Chirgwin, 2011). With that said, experts have estimated that 90% of companies would have also succumbed to the attack and breach (Gaudiosi, 2014). The fact is that Sony should have been more prepared and been proactive in their response rather than reactive. When they were initially hit with the DoS attack they immediately allocated all resources to stopping the attack, which in turn left them completely defenseless and open to the data breach. Had Sony implemented an appropriate Incident Response Plan (IRP), not only would they have been able to respond to the event, but they also would have had the luxury of preparing in advance. Whitman & Mattord (2017) point out that a critical piece of all IRPs are the ‘Before the Incident’ procedures – these are the procedures that include all necessary tasks to prepare for an incident to occur. These procedures would include data backup and recovery tasks, training plans, intrusion detection processes, and where to allocate resources once the incident occurs. Perhaps if Sony had procedures such as these, the impact of the attack would have been lessened.
Since the breach, Sony’s gaming division has taken steps to improve their security posture against both attack types. For example, they are now partnering heavily with Amazon Web Services (AWS), which considerably improves their ability to withstand a DoS attack. Similarly, Sony management has worked to improve communication and collaboration between its business, technology, and security teams to further develop its ability to proactively plan for and respond to a similar attack. These are both positive steps which appear to set Sony up for success moving forward.
Unfortunately, approximately three years later, in 2014, Sony’s motion picture division was hit with an even larger breach. It just goes to show the importance of learning from mistakes and documenting lessons learned. While it is clear that the gaming division had in fact learned from the breach in 2011, what is also clear is that those lessons did not make their way to the other business areas. Hopefully, Sony is now taking the proper precautions across all of its divisions. In this day and age when hacking attacks are expected, it is critical that Sony addresses the issues raised by the breaches in 2011 and 2014. They simply cannot afford to let their guard down again. The next time, they may not recover as quickly as they did in 2011 or 2014, if they recover at all.
Chirgwin, R. (2011). Sony: 'PSN attacker exploited known vulnerability'. Retrieved from https://www.theregister.co.uk/2011/05/01/psn_service_restoration
Gaudiosi, J. (2014). Why Sony didn't learn from its 2011 hack. Retrieved from http://fortune.com/2014/12/24/why-sony-didnt-learn-from-its-2011-hack/
Laudon, K. C., and Laudon, J. P. (2016). Management information systems: Managing the digital firm. Upper Saddle River, NJ: Prentice Hall.
PWC. (2011). Limiting the Impact of Data Breaches: The Case of the Sony Playstation Network. Retrieved from https://www.strategyand.pwc.com/global/home
Whitman, M., & Mattord, H.J. (2017). Management of information security. Boston, MA:Cengage Learning.