Is the Sony Breach Worse than Others?
The Sony PlayStation breach has made a lot of people very angry. And rightly so. You put your trust in a company and it fails you by allowing your personal information to be stolen. Heck, I'd be furious with Sony, too.
But as I read the articles on the breach, something stands out to me. There seems to be a lot more wrath hurled at Sony than at other companies that have been breached. Look at the Epsilon breach a couple of weeks earlier, which I suspect affected a lot more people. The reaction seems to be more annoyance than anger.
I am not defending Sony in the least little bit. It has made a lot of wrong moves here. It took way too long to reveal the breach. And at a congressional hearing, it was alleged that Sony was using outdated software and knew it. The Consumerist website noted testimony from Dr. Gene Spafford of Purdue University:
According to Spafford, security experts monitoring open Internet forums learned months ago that Sony was using outdated versions of the Apache Web server software, which "was unpatched and had no firewall installed." The issue was "reported in an open forum monitored by Sony employees" two to three months prior to the recent security breaches, said Spafford.
But in a USA Today article, it was pointed out that both Sony and Epsilon declined an invitation to testify in front of Congress — but only Sony was held over the coals:
"Their absences were unacceptable," said Rep. Mary Bono Mack, R-Calif., who chaired the House Committee on Energy and Commerce subcommittee hearing.
"I hate to pile on, but — in essence — Sony put the burden on consumers to 'search' for information, instead of accepting the burden of notifying them. If I have anything to do with it, that kind of half-hearted, half-baked response is not going to fly in the future," said Bono Mack, who plans to introduce legislation to protect consumers against data theft.
Unfortunately, the moral here is that you give your information to a third-party, blindly trusting them, a bank, a credit card company, a phone company, Amazon, J. Crew, or Sony. You are blinding trusting that they will use the information wisely and secure it. And you have no say how they do that and you have no recourse if they [mess] up.
I think Schneier nailed it when he said that what is different in this situation is that it was a breach to a gaming system. This is something personal, something that the affected touch every single day. When you give your information to your bank or supermarket or doctor, you don't think about what they do with the information; those breaches are more distant. But PlayStation? That's something you touch every day, something you interact with — something you think you have control over. I'd bet for a lot of these people, it is their first truly personal experience with a breach.
I don't believe Sony deserves to be the only whipping boy on this. However, it might just be the incident needed to make people on both the business side and the consumer side really step up and notice how a breach can affect our lives.