So, I guess that just leaves one big unanswered question: whose fault is this mess, anyway? Well, the answer to that one is not so simple, as there's plenty of blame to toss around.
First, Sony is to blame. Obviously, they could have taken plenty of extra security measures. Now, if you know anything about IT, security, and the web, you know that there is no such thing as a 'hack-proof' system. No matter how high you build the wall, there's always some asshole with a longer ladder or a bigger breaching charge.
Still, Sony apparently had user info stored unencrypted (credit card data was encrypted, according to Sony, just not user details) on the system. Really? That's the best you've got, Sony? I picture some guy at PlayStation headquarters hunched over a keyboard filling an Excel spreadsheet with user info and just shake my head. This is bad, Sony.
You also decided to make a complete investigation of the hack before informing your users what had happened, and that their info might be at risk. Now, this one you need to think about. It's easy for users to get bent out of shape over this, but there are two things that many people need to consider before they go getting their panties in a bunch.
- If Sony believes this was a criminal act (and they obviously do), they are perfectly within their legal rights to withhold the info pending the commencement of a law enforcement investigation. I feel like this is the leg Sony is going to try to stand on in court, but that is nothing more than me guessing at it.
- Sony wanted to be damn sure before they announced the severity of the breach. Think of it this way: How mad would you be if Sony had announced that your info may be compromised, and then turned around and said, "Oh, never mind, it's not." First, you wouldn't believe them. The net would be full of posts howling at the "Sony cover-up." Second, the bad PR would already be out there, and they'd have to fight it just like they are doing now. By investigating it first, they made sure that they were announcing the truth, and made sure that the PR war was necessary.
You see, it doesn't make sense to get angry about Sony getting hacked. Companies get hacked all the time. Some announce it, some don't. Some don't involve user information, and some do. Less than 6 months ago, Kotaku get hacked, and a ton of user info was freely available on the web. Already this year, Play.com user details were leaked, although they named a third-party marketing firm as the location of the breach. The government gets hacked, non-profits get hacked, it's the price of doing business in the online world that we live in today.
Therein lies the second, and far more appropriate place to lay blame: the hackers themselves. There's plenty of speculation that Anonymous may have been behind the breach, even though the group has denied being involved. However, it's entirely possible that one or more of the many folks who make up that amorphous group could be responsible without the knowledge of the folks who speak for them. At the moment, no one knows who the culprit was.
What we do know is that a malicious person or persons illegally accessed private data on Sony's servers, and that's a crime. Yes, Sony should have secured it better. Yes, they could have hardened their network more. Neither of these things is up for debate. But if you review the facts logically, it's difficult for me to understand how anyone can point the finger solely at Sony.
I guess what this long-winded diatribe is saying is that while it's perfectly OK to be pissed off at Sony for their handling of this incident, it's not OK to give the hackers a free pass. Go ahead, rail at Sony for the shoddy job they did protecting your info. They completely deserve it. Just make sure you save a dose of the same ire for the criminals who perpetrated the act. After all, they're the ones benefiting from breaking the law.