The Sony PlayStation Network Crash Stoppage Of Play The Sony PlayStation Network Crash

AGENDA The Crash Company History Gaming PlayStation Network Timeline of Crash Reactions Considerations What’s Next? http://images4.wikia.nocookie.net/__cb20110618021730/crashban/images/b/b1/Crash_bandicoot_wallpaper_by_tyrannosaurus92-d3adlxn.jpg http://www.gadgetizer.com/wp-content/uploads/2011/04/playstation-network-hacked-users-contacted.jpg

NEWS FLASH Pittsburgh Post-Gazette “You probably heard about Sony’s PlayStation Network hack if you glanced at the internet, television or even newspaper in the past week.  It was such big news even news sources like Fox News, ones that usually reserve video game news for exaggerating the indecencies of the latest mature title, discussed the security breach ad nauseam. To say the hackers did damage to Sony would be the understatement of the year.  They crippled the network, knocking it out of commission for a little over a week, and the hackers had access to about 77 million users personal information, including credit card data.” http://communityvoices.sites.post-gazette.com/index.php/arts-entertainment-living/the-game-guy/28611-was-sony-ready-to-welcome-the-psn-back

CRASH BACKGROUND DATES: April 17-19, 2011 SITUATION: Hackers illegally access Sony PlayStation Network & Qriocity Services which has 77 million registered users data with over 12 million accounts containing credit card information. PUBLIC NOTIFICATION(S): Brief (April 22, 2011) Formal (April 26, 2011) FINANCIAL IMPACT: Sony shares fall by more than 5%. Unknown amounts still need to be determined for resolving problem and compensating consumers. FEEDBACK: Public questions company’s security and response, governments discuss regulatory environment, and lawsuits are filed. http://communityvoices.sites.post-gazette.com/index.php/arts-entertainment-living/the-game-guy/28611-was-sony-ready-to-welcome-the-psn-back http://arstechnica.com/gaming/news/2011/04/sonys-black-eye-is-a-pr-problem-not-a-legal-one.ars

COMPANY ORIGINS Sony Sonus Sonny Boy Founded in 1946 by Engineer Masaru Ibuka and physicist Akio Morita Company begins as Tokyo Telecommunications Engineering Corporation named “Totsuko” Initial products: portable radios, tape recorders, electric rice cookers Initial functions: build and repair electrical equipment Enters North American market in 1950s Sonus (Latin word meaning sound or sonic) Sonny Boy (English term denoting youth & excitement) Sony http://www.sony.net/SonyInfo/CorporateInfo/Subsidiaries/index.html http://www.sony-europe.com/article/id/1178278971500 Large recognizable divisions: Sony Pictures, Sony Computer Entertainment, Sony Electronics, Sony Ericsson, Sony Music, Sony USA

GAMING HISTORY 1980s – CD technology developed with Philips 1988 – Partnership built with Nintendo to develop cartridge/cd gaming system called “PlayStation” Early 1990s – Sony & Nintendo disagree on direction and disbands partnership 1994 – Sony releases cd-only gaming system called the “PlayStation X” 1995 – Sony Computer Entertainment division is created and headquartered in Sunnyvale, CA Nintendo PlayStation Image - http://t3.gstatic.com/images?q=tbn:ANd9GcTknjcjM1-JO2M5J1F1kn9sKKeEOiuwyFeEOZON4-wS4nb2e5QLBvSwcKK25Q Sony PlayStation (PSX) Image - http://edu.glogster.com/media/5/35/79/64/35796434.jp Mid 2000s – Latest version of PlayStation called PS3 arrives with “Blu- ray” disc technology, wireless internet access, internal storage, digital video & audio outputs, and general navigation menu

CONSOLE GAMING MARKET NINTENDO: SONY: MICROSOFT: Wii Sales: $754M Portable (DS & 3DS) Sales: $827M SONY: PS3 Sales: $439M PlayStation Portable Sales: $297M MICROSOFT: Xbox 360 Sales - $535M Sales Totals (as of 4/30/11) - http://www.vgchartz.com/weekly.php?date=40804&reg=World&date=40664# Sony PS3 Image - https://s3.amazonaws.com/luuux-original-files/bookmarklet_uploaded/1276904134_98872156_1-Fotos-de--Playstation-3-Slim-120GB-SONY-PS3-1276904134.jpg Nintendo Image - http://www.mogulite.com/wp-content/uploads/2011/06/Nintendo.jpg Xbox Image - *Please note that sales numbers only represent combined hardware and software numbers without additional subscription revenue, etc.

THE PLAYSTATION NETWORK Business Briefing Meeting 2006 in Tokyo Brought on as part of PS3 news Release Multi-player gaming, internet, & chat System updates; downloads and streaming of multimedia Specifications Free user registration Access via PlayStation 3, PlayStation Portable, or PC Registration & Access Paid for using electronic funds Originally done through tickets but now pre-paid & credit cards are okay Transactions 77 million registered online worldwide as of 4/30/11 Users Sony PSP Image - http://www.newgadget.info/wp-content/plugins/wp-o-matic/cache/f1bfd_sony-psn-minis-press.jpg

TWO LONG WEEKS 4/19: Illegal activity is detected in network. 4/20: Engineers discover intrusion evidence and shut down PSN. 4/21: Sony retains services of external security firm. 4/22: Sony provides FBI info and comments on blog without discussing data loss. 4/23: Forensic teams confirm advanced attack and notifies public. BREACH

TWO LONG WEEKS 4/24: Sony continues work with forensics on server problems. 4/25: Account details (name, address, email, password, etc.) are confirmed stolen. 4/25: Global credit card info loss cannot be confirmed. 4/26: Kaz Hirai, head of Sony gaming, appears at news conference for tablet pc’s without taking PSN questions. DIAGNOSIS

TWO LONG WEEKS 4/26: Sony emails consumers with detailed hack info. 4/26-4/27: Sony begins notifying regulatory entities of breach. 4/27: Shares fall 2% on news of potential data loss and first lawsuit filed against company. 4/28: Shares drop 4.5% in Tokyo. 4/29: Sony refutes claims of 2.2 million credit card accounts stolen. FALLOUT

REACTION – CONSUMERS CNN reported that “Gamers (are) fuming” +sid4peeps: “This update is 6 days LATE. I think it is time to move to the other network, no regard for customers here” +Korbei83: “If you have compromised my credit information, you will never receive it again. The fact that you’ve waited this long to divulge this information to your customers is deplorable. Shame on you” http://ingame.msnbc.msn.com/_news/2011/04/27/6544610-sony-sued-could-bleed-billions-following-playstation-network-hack ... first paragraph first law suit was filed http://articles.cnn.com/2011-04-27/tech/sony.playstation.hack.reaction_1_credit-card-playstation-users-playstation-network?_s=PM:TECH http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/ +tazinlwfl: “…I love my PS3. I really like Sony and I support the developers 100%, but this really tests everyone’s patience. It really tests my patience.”

REACTION – DEVELOPERS “Our belief is that whilst this is terrible news… it won’t affect the user base too much.” Stewart Gilray, Just Add Water “PSN being out definitely affects our bottom line… but as long as the people who were going to be playing… get right back in there playing… we’ll be happy and hopefully income won’t be dented too much.” Dylan Cuthbert, Q-Games Developer “From my perspective, the bigger issue is not about PSN, but confidence in digital distribution generally.” Ste Curran, Zoe Mode Creative Director “We have our first self-funded, self-published PSN game,… coming out next week, so from our point of view , the fact that the network isn’t available is a big concern.” Lol Scragg, Cohort Studios Founder http://www.guardian.co.uk/technology/gamesblog/2011/apr/29/psn-hack-industry-reactions http://www.joystiq.com/2011/04/27/psn-devs-offer-mixed-reactions-to-cost-of-outage/ http://www.develop-online.net/news/37566/PSN-dev-Downtime-has-cost-us-thousands

Senator Rick Blumenthal REACTION – GOVERNMENT “I am concerned that PlayStation Network users’ personal and financial information may have been inappropriately accessed by a third party. Compounding this concern is the troubling lack of notification from Sony about the nature of the data breach. Although the breach occurred nearly a week ago, Sony has not notified customers of the intrusion, or provided information that is vital to allowing individuals to protect themselves from identity theft, such as informing users whether their personal or financial information may have been compromised. Nor has Sony specified how it intends to protect these consumers.” http://www.techfirm.com/storage/JohnsvSony-Complaint-FINAL.pdf http://www.ps3blog.net/2011/04/26/senator-richard-blumenthal-demands-answers-from-sony-over-playstation-data-breach/ Senator Rick Blumenthal (D-Connecticut) Domestic

REACTION – GOVERNMENT Christopher Graham Jennifer Stoddart UK’s Information Commissioner Researching PlayStation Hack Has power to fine companies ₤500,000 for serious data breaches Jennifer Stoddart Canada’s Privacy Commissioner Currently investigating Sony to determine whether it has violated any privacy laws http://www.techfirm.com/storage/JohnsvSony-Complaint-FINAL.pdf http://www.telegraph.co.uk/technology/sony/8476441/PlayStation-hack-Sony-faces-watchdogs-questions.html http://www.bloomberg.com/news/2011-04-28/sony-faces-lawsuit-regulators-scrutiny-over-playstation-user-data-breach.html http://www.itwire.com/virtualisation/46877-minister-sony-hack-firms-breach-notification-case http://www.businessweek.com/news/2011-04-28/sony-faces-lawsuit-regulators-probe-over-playstation-hack.html International

LAWSUITS “This action arises from SONY’s failure to maintain adequate computer data security of consumer personal data… Subsequent to the compromise of private consumer information and financial data, Defendant unduly delayed or failed to inform in a timely fashion the appropriate entities…” Kristopher Johns v. Sony Computer Entertainment America “Because of Defendant’s actions, millions of their customers have had their Financial Data, Personal ID, and Usage Data compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages.” Rebecca Mitchell v. Sony Computer Entertainment America http://www.techfirm.com/storage/JohnsvSony-Complaint-FINAL.pdf http://www.telegraph.co.uk/technology/sony/8476441/PlayStation-hack-Sony-faces-watchdogs-questions.htmlhttp://www.motleyrice.com/files/consumer-fraud/04-27-11_sony_mitchell_complaint.pdf

LAWS & REGULATIONS Payment Card Industry – Data Security Standard (Requirements) Maintain a Firewall Don’t use vendor-supplied default system passwords Protect cardholder data Encrypt transmission across open , public networks Use and update anti-virus software Maintain a policy that addresses information security Restrict access to need to know Assign a unique ID Restrict physical access to cardholder data Track and monitor all access to network resources Regularly test security systems Develop and maintain secure systems and applications http://www.defendyourdollars.org/2005/02/states_with_not.html => Laws vary greatly from state to state

ADDITIONAL INFORMATION SIMILAR SITUATIONS SCENARIO 12/22/07 – Microsoft’s Xbox Live service went down for 13 days due to a server crash. 03/30/11 – Epsilon discovered that its network had been breached RESPONSE Free downloadable arcade games to members valued at roughly over $80M 04/01/11 – Official press release issued notifying public ADDITIONAL INFORMATION 01/03/08 – Microsoft was notified that they were the subject of a $5 Million class action suit Clients (Kroger, JP Morgan, Capital One) customer data was stolen “…greatest risk to Epsilon and Alliance Data is the potential loss of clients” http://www.wired.com/gamelife/2008/01/xbla-undertow-f/ Shows that the price of the XBLA game Undertow at the time was $10 http://www.dailytech.com/Xbox+Live+Collects+Eight+Million+Users+in+Five+Years/article9665.htm In the month before the incident there were over $8Million users. Assuming that every user downloaded the game or were compensated for their purchase, it meant a potential loss of revenue to Microsoft in excess of $80 Million probably more because the cause of the downtime seemed to be that an extremely large number of players tried to sign up and use the service during the holidays http://www.gamespot.com/news/6184323/microsoft-sued-over-xbox-live-outage $5 Million Class Action Suit http://www.foxbusiness.com/technology/2011/04/06/alliance-data-sees-minimal-impact-data-breach-epsilon/ Says that the largest impact will be due to the loss in trust from its customers (Source for Quote) http://www.epsilon.com/News%20&%20Events/Press%20Releases%202011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3

WHAT NEXT? What are the critical issues in this case? Who are the stakeholders? What can Sony learn from other similar scenarios? How will Sony compensate PSN consumers for this malfunction? How can Sony not lose consumer confidence in products? How should Sony handle the regulatory environment surrounding data theft protection? What communications should Sony make and to whom?