So, the PSN Debacle.
Any time the phrase “The Hackers” comes out I tend to roll my eyes a little bit–I guess Hollywood’s done its job by making them come across as super-lame. I mean we all saw Hackers, The Matrix, The Net–they were cheesy good times and they did a great job of making hackers in general come across as cartoonish, either godlike geniuses or moustache-twirling villains who won’t give you your life back unless you give them the disk.
But now we’ve got an actual issue, and as of the time of this writing it’s taken over a week–a full week!–and Sony’s still not really sure of the extent of the damage that’s been done, or if they are, they’re not saying.
The FAQ on Sony’s site states that they learned about the security breach “between April 17 and April 19″. They remained vague about it until the 22nd, when they finally admitted there was an external breach. The next few days had several similar vague announcements–we’re trying to figure it out, we’re looking into it.
On the 25th, Sony’s forensic analysts determined that there was indeed a breach and that user data was indeed compromised–a post from Patrick Seybold explained that they waited until they were sure about the extent of the breach to communicate about it. Why they waited an extra day until the 26th to finally confirm things, I haven’t found any information on.
While The Hackers may have dealt the initial blow–ruining the PSN’s security and causing all of this downtime–Sony’s done nothing but shoot themselves in the foot. Do they not have an emergency communications team? If they don’t, there are consultative firms who specialize in this sort of thing. The second–the second!–that Sony realized that there had been an intrusion they should have been on the phone to both security and emergency communications firms, both who would have advised the action that Sony took–shutting down the network.
A statement should then have been immediately released, mentioning the possibility of an external intrusion, that the network was being shut down as a protective measure, and that an investigation to determine the scope of the breach was underway. Sony should have been releasing press releases every few hours, even if no new information existed, detailing what was going on in the investigation. They should have immediately cautioned users about possible fraudulent emails, suggested monitoring of credit card accounts, etc. They shouldn’t have gone for the better part of a week without giving any concrete information, and they CERTAINLY shouldn’t have sat on the news of compromised date for a day.
Compare this to the 1982 Tylenol poisonings which are nearly universally considered to be an exemplary model of how to handle crisis PR. The reason you’re able to buy a bottle of Tylenol today is because of how well Johnson and Johnson handled it–when the incidents initially happened, many analysts believed that the brand would be too tainted to be commercially viable.
In the fall of ’82, several people took Tylenol and died within a few hours. The connection was discovered quickly and it was determined that the pills had contained something in the neighborhood of ten thousand times the lethal dose of cyanide. They determined that the poison did not get into the capsules at the manufacturing plants, that several different manufacturing lots were involved, and that the pills were purchased from five different stores. While it seemed that the incidents were isolated to the Chicago area, Johnson and Johnson considered it a national crisis–for obvious reasons, people across the country were avoiding the brand.
Johnson and Johnson immediately offered to work with the FDA, the FBI, and the local police to assist with the investigation. Even though it was determined that the deaths were the responsibility of a random poisoner who was unconnected with the company, J&J made it their duty to pull advertising and warn the public. They instituted a nationwide recall of all Tylenol products. I remember my mother telling me that when it happened, there was a spokesperson constantly on the news updating people about what steps the company was taking. Instead of distancing themselves from what was happening–again, given that it wasn’t directly their fault, they could have, and most companies at the time would have taken that option–they took an active role in the public’s safety and were rightly praised for the demonstration of care for their customers.
Within six weeks, Tylenol reappeared on shelves with new seals on its packaging–that’s why today when you buy most over-the-counter medication you have to go through the cotton and the plastic seal and the box. They heavily discounted the price of the medication and launched a completely new advertising campaign. All told, Johnson and Johnson lost millions in the short term between the recall and the pulling of advertising and the new campaign and the discounts, but they not only preserved but even improved their reputation by their handling of the crisis. The corporate philosophy placed its customers first–the company felt a sense of responsibility towards the well-being of those who were using its products and believed that their welfare was more important than the company’s. That they did everything in their power to help customers feel safe and communicate transparently what was going on demonstrated this, and customers responded very well.
The PSN outage does not directly threaten anyone’s life, but financial and residency information is threatened. It’s not directly Sony’s fault that there was an intrusion–but it’s Sony’s responsibility to make its customers feel safe. Sony’s corporate philosophy is clear–it places itself above its customers. It should be admitting its problems and letting us know what steps it’s taking to fix it–to beef up security, to investigate the extent of the damage. Instead, it reminds me of a kid who accidentally breaks a vase and, fearful of getting punished, stacks the pieces together and hopes no one will notice.
Filed Under: Blog