As Sony’s Breach Tops 100 Million Accounts, It Needs To Fix Its Encryption RhetoricWritten by Evan Schuman
Thus far, Sony’s IT people are not having a great spring. Facing a 100-million-account data breach, Sony’s management this week worked hard to see if they could make this situation any worse. Consider this statement Sony used, trying to defend itself and its security operations: “The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack.”
Word of advice to any retailer that is publicly dealing with a more-than-100-million-account breach: Be awfully conservative in using the phrase “of course.” Limit it to sentences such as “Of course we’ll refund your money” and “Of course we’ll pay for your credit monitoring and your time in dealing with our mess” and “Of course we’re idiots who you should spit upon.” If you feel the desire to say “of course” to modify that you had “a very sophisticated security system,” you need to pop another Valium and write a new draft.
Typically, “very sophisticated security system” and “more than 100 million breached accounts” don’t usually work well together, especially when senior Sony executives call a news conference to apologize for the company’s security mechanism.
When a general gets clobbered in a battle, losing ground and a huge number of soldiers, it’s an unwise move to explain yourself to the Pentagon by bragging about how you had this really sophisticated attack plan and that it’s really all the fault of the enemy. They might have an alternative theory.
Let’s go back to Sony’s posted Q&A. “Q: What steps is Sony taking to protect my personal data in the future? A: We’ve taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network.” To paraphrase: To make you safer, we’ve shut down. This is our solemn promise: As long as we’re not operating, you will not lose any more data.