As Sony's Breach Tops 100 Million Accounts, It Needs To Fix Its Encryption Rhetoric

Thus far, Sony's IT people are not having a great spring. Facing a 100-million-account data breach, Sony's management this week worked hard to see if they could make this situation any worse. Consider this statement Sony used, trying to defend itself and its security operations: "The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

Word of advice to any retailer that is publicly dealing with a more-than-100-million-account breach: Be awfully conservative in using the phrase "of course." Limit it to sentences such as "Of course we'll refund your money" and "Of course we'll pay for your credit monitoring and your time in dealing with our mess" and "Of course we're idiots who you should spit upon." If you feel the desire to say "of course" to modify that you had "a very sophisticated security system," you need to pop another Valium and write a new draft.

Typically, "very sophisticated security system" and "more than 100 million breached accounts" don't usually work well together, especially when senior Sony executives call a news conference to apologize for the company's security mechanism.

When a general gets clobbered in a battle, losing ground and a huge number of soldiers, it's an unwise move to explain yourself to the Pentagon by bragging about how you had this really sophisticated attack plan and that it's really all the fault of the enemy. They might have an alternative theory.

Let's go back to Sony's posted Q&A. "Q: What steps is Sony taking to protect my personal data in the future? A: We've taken several immediate steps to add protections for your personal data. First, we temporarily turned off PlayStation Network." To paraphrase: To make you safer, we've shut down. This is our solemn promise: As long as we're not operating, you will not lose any more data.Continuing with its Q&A: "Second, we are enhancing security and strengthening our network infrastructure. Moving forward, we are initiating several measures that will significantly enhance all aspects of PlayStation Network's security and your personal data, including moving our network infrastructure and datacenter to a new, more secure location, which is already underway."

Sony is moving its datacenter to a new building? That's baffling but it's actually more BS than baffling, given that they had planned to move to that new location long before the breach.

Next question: "Has Sony identified the party or parties responsible for the PlayStation Network hack and subsequent theft of personal information? A: We are currently conducting a thorough investigation of the situation and are working closely with a recognized technology security firm and law enforcement to find those responsible for this criminal act no matter where in the world they might be located." Sony isn't even identifying the security firm, other than to say that it's recognized? It's understandable to not reveal what security firm has been hired. But if you choose to not mention the firm's name, you don't get to boast about it. Besides, the best boast you could come up with is recognized?

By the way, in congressional testimony on Wednesday (May 4), Sony did a much better job of answering the question. When asked the same question, Kazuo Hirai (Chairman of the Board of Directors of Sony Computer Entertainment America LLC) answered: "No."

Then there's this: "Q: When will the PlayStation Network and Qriocity be back online? A: Our employees have been working day and night to restore operations as quickly as possible, and we expect to have some services up and running within a week from yesterday. However, we want to be very clear that we will only restore operations when we are confident that the network is secure."

Sony wants to assure everyone—including the handful of people somewhere who have not been personally involved in the breach—that "we will only restore operations when we are confident that the network is secure." Easy question: Guys, would you say that you were confident before that the network was secure?

Guess there's a plus side to the breach number now hitting 100 million. With a global population of 4 billion, Sony's brushing up against the physical limit of how bad this can get.