Data breaches happen with startling regularity, but they rarely occur on the scale of the 2011 Sony PlayStation breach. When hackers cracked open the PlayStation Network, 77 million users were affected-their passwords, credit card information, security answers, physical addresses and more were all in the hands of thieves. It was a nightmarish scenario for those users and for Sony, but it was much more than just a bad dream.
The results of the PlayStation breach are still playing out. In January 2013, the United Kingdom’s Information Commissioner’s Office (ICO) fined Sony nearly $400,000 for the hack. After the breach, companies saw just how important it was to keep their own systems secure; it’s estimated that the breach cost Sony $170 million. The company also faced lawsuits and government scrutiny from both the United States and United Kingdom, not to mention a major drop in its stock prices immediately following the incident.
No breach since has affected so many users, but breaches still continue to happen. Lessons learned in the aftermath may have helped in combating hacks and increasing security, but everyone needs to continually keep them in mind, and update those lessons.
• Companies-even tech companies-have to stay on their toes. Authorities within the ICO stated that the PlayStation hack was “preventable” and noted that a company like Sony, which is at the forefront of the technology industry, should have had the most up-to-date security system available. In Sony’s systems, credit card data was encrypted, but other personal information was not. While companies aren’t required to encrypt personal data, after the PlayStation hack, it became clear that doing so is a best practice. Data encryption software and solutions are continually evolving.
• Response time matters. The PlayStation hack happened some time between April 16 and 19, 2011, but Sony didn’t shut down the system until the 20th, and then waited to make an announcement about the breach until the 22nd. It wasn’t until April 26th that the company confirmed users’ data had been compromised. During that period, users were confused, nervous and angry at the company’s sparse communications. One of the key takeaways from the hack was that telling customers what’s going on is essential, not just from a customer service standpoint, but because most states have laws requiring disclosure of breaches.
While users can protect themselves with clever passwords and other identity theft protection methods, corporations should be equally concerned with protecting their users.