Great Post by rothbart from the sarcasticgamer forums, regarding the PS3 hackage:
I need to ignore Twitter right now… there are tons of people (and site feeds) spewing ignorance galore…
I work at a company that deals with data security… we wish everyone that lost a laptop or left data unencrypted had used our product(s) first. The fact is, NOBODY is impervious to being hacked. It happens all the time to tons of companies. It happens at a much larger scale than the 75M PSN users.
By data breach standards, what Sony has done here is the absolute text book implementation of what to do correctly. They didn’t put protocol aside to keep selling PSN content. They didn’t put protocol aside to let gamers keep gaming, potentially muddying up the systems being scoured for clues. They didn’t try to hide that this happened. They didn’t try to analyze it themselves but instead brought in experts.
The people and sites that are faulting Sony on how they’ve handled this so far are simply, and I mean no disrespect by the use of the very most accurate word I can think of… “ignorant” as to what they’re talking about.
If you think Sony should’ve battened down the hatched and never gotten hacked… talk to the HUNDREDS of other companies/brands/organizations out there that have endured the exact same fate. If you think Sony shouldn’t have been storing credit card information (at all or in a certain way) you should know that all there are now are recommendations or guidelines, there are no LAWS yet that force companies to certain degrees of protection and even if they were adequately protected, depending on the extent and nature of the hack, having them protected to PCI DSS guidelines STILL might not prevent people from getting to our credit card information…
That said, Sony said there was no evidence that our credit cards were compromised. They recommended (and to be honest, this was worded well) that “While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.” How can they be faulted for that? Would you rather them lie and say “you’re safe” or “they were compromised”?
This was a text book reaction to a large scale data breach and unlike MOST companies where we’d simply get an unexpected letter in the mail, we were somewhat kept in the look by the raised awareness that PSN being down leading them to say something. You don’t spill details during an investigation and these things take time. Hell, try checking out your computer after you’ve had a trojan installed and activated… now amplify that work by about a bajillion. Going through that stuff takes time.
Here’s the actual link: http://forums.sarcasticgamer.com/showpost.php?p=645846&postcount=734