How a Giant Manages a Giant Incident (watching Sony)

Posted on April 28, 2011 by


Now, it is a kind of a must to comment on the recent  Hacking of the Sony PlayStation Network (SPN). The scope and numbers are staggering. 77 million customer’s personal information got compromised, and we are talking about every detail a customer had to give away when registering with the Sony service (and Sony asked for a lot of details …).  As of today, there have been seven plus days PSN outage and; last but not least, as of today it is still not clear if the credit card details of up to 77 million customers have been exposed.

It might sound unethical, but I have to say: from an Information Security Management prospective, this is extremely interesting to watch (actually I am not only watching but also affected and acting since I am a PSN customer as well).  This is because of all the facets that are covered by this huge incident, all the usual suspects one finds in the InfoSec textbooks and that are now more or less live and more or less publicly watchable: from First Incident Response to Forensic, Impact Assessment/Damage Control, Crisis Management, Crisis Communication, Liability/Legal to  Service Recovery. And it is interesting to see how a giant like Sony is handling and managing all this.

Let’s see how this continues, let’s watch it and let’s learn from it.


I am curious to see the development and outcome of the lawsuits. A first class action lawsuit has apparently already been filed in the US, accusing Sony of failing to have appropriate controls in place, failing to provide prompt warnings and for delaying bringing the service back online (Source: And what about PCI ? Doesn’t PCI require a company to not store card holder data ?

Posted in: Observation