Sony PlayStation Security Breach Case Study: Lessons Learned

SONY PLAYSTATION: IT DOES EVERYTHING! (EXCEPT PROTECT PRIVATE DATA AND COMMUNICATE EFFECTIVELY Case Study Presentation Sally-Marie Ryan Consumer Relations

SONY AND ITS SUCCESS Known as one of the biggest names in technology, Sony has established themselves through constant advancements and innovations. From the very first personal stereo system, the Walkman, to compact disks, all the way to PlayStations, Sony has been at the brink of every major technological advancement in history. In 2019, Sony generated just over $20 billion worldwide and gaming and network services accounted for just over $18 billion of that

TIMELINE AND FACTS April 20, 2011, Sony networks stopped working, preventing consumers from using PlayStation and Qriocity. April 21, 2011 Sony put out their first statement on a blog post informing consumers that the company was investigating the cause of this pause, indicating it may be a day or two until services could resume. April 22, 2011 Sony admits that the company has been hacked and says they are working tirelessly to fix the issue. April 23, 2011 Sony posts an apologetic response indicating they are looking to add more security to their platforms. The following day the same post was posted again. April 25, 2011 Sony puts out a statement to all Sony users informing them that their personal information may have been compromised but claiming that at that time there was no physical evidence to indicate any personal information had been stolen. They warned consumers to watch for sign of theft. U.S. Sen. Richard Blumenthal criticized the company for its late response time in telling consumers about the hack.

April 29, 2011 the U.S. House Subcommittee of Commerce, Manufacturing, and Trade sent a letter to Sony asking why they waited so long to notify consumers. Sony replied by explaining that they wanted to accurately diagnose the problem before putting out any false information. According to the company, there was only a small indication that the security had been hacked initially. May 1, 2011 Sony issued a public apology at a news conference in Tokyo. They listed their primary goals as improving security, creating a customer appreciation program, and regaining the trust of their consumers. On the same day, May 1, 2011 Sony underwent yet another security breach, thought to be related to the initial one in April. May 4, 2011, U.S. representative Mary Bono Mack issued her frustration with corporations like Sony who compromise consumers data indicating a change needed to be made for the future. On June 2, 2011 Tim Schaaff responded to her claims by clarifying timelines and communication outlets that would best reach Sony consumers (like their blog). In response to Blumenthal s request, Sony agreed to provide a one year of free credit monitoring service to users, and purchased a $1 million insurance policy to cover the possibility of it occurring in the future. They issued a lengthy letter clarifying the timelines of the case and what they plan to do in the future to prevent it from happening again. Following the letter, Sony created their customer appreciation program offering free movies, music, and 30 day free trials.

ORGANIZATIONS INVOLVED Sony The U.S. House Subcommittee of Commerce, Manufacturing, and Trade

KEY PUBLICS External: Loyal Sony consumers/ gamers Technology retailers Media/ news outlets Internal: Sony employees who were responsible for preventing hackers, identity theft, and protecting consumers private information.

R.A.C.E Research Following the indications that Sony was being under attack, they hired outside security teams to research what had happened and preventative measures for the future. Action Planning Sony added additional automated software monitoring and configuration management to defend from attacks, enhanced levels of data protection and encryption, new capabilities to detect software intrusions, additional firewalls, enhanced security, and a new Chief Information Security Officer. Communication Sony initially issued a blog post informing consumers of the potential breach, then issued a number of responses clarifying the timeline of events. Evaluation Sony recognized that the security they currently had was not up to par, and that they had room to grow in terms of consumer security, communication and response time, consumer trust.

SWOT ANALYSIS: SONY Strengths Sony is known as a leading technology innovator Well established, game savvy consumer base Weaknesses Internal issues with security and consumers privacy Opportunities Growth through consumer protection Sony can prove to consumers that they actually care about their safety Threats Every year about 9 million Americans are victim to identity theft, an issue that may never go away and poses as a threat to personal and national security

SONYS RESPONSES Reactive Responses: Defensive response: Sony clarified timelines and events in each response while defending their actions. They did not believe they did anything wrong. Vocal Commiseration: Sony offered their apologies for any stress the breach had caused on their consumers Rectifying Behavior: Sony underwent an investigation where they were able to clarify everything that actually took place. They took corrective action by implementing new security measures to protect consumers private information.

COMMUNICATION TACTICS Face-to-face Communication Sony spoke at a news conference in Tokyo apologizing on behalf of the entire issue. They address concerns they ve caused for consumers and identify areas of growth within the company to prevent similar issues in the future. Organizational Media Sony posted information about the breach on their user friendly blog. The blog is highly interactive so it gave consumers a platform to communicate concerns. News Media Several news releases apologizing on behalf of the company Advertising and Promotional Media Sony used the case to better themselves, proving to consumers they are dedicated to bettering their security measures.

EFFECTIVENESS OF COMMUNICATION TACTICS: Timing Most of this case occurred within a few days, with the initial realization of the breach occurring on April 17. Most responses from Sony occurred between April 21, 2011 to May 1, 2011 Use of language Shift in tone from defensive to apologetic Written, Spoken, and Visual elements Sony added frequently asked questions about the breach to their website and blog to inspire honesty and trust

ETHICAL AND LEGAL CONSIDERATIONS Core values Honesty Consumers wondered if Sony was being honest about their timeline of events Loyalty Loyalty was questioned by consumers when information was not disclosed to them in an effective and efficient way Fairness Consumers questioned the fairness of the case in that they were not given full information immediately that could have affected their personal security Code Provisions Free flow of information Sony attempted to maintain open communication between consumers, but failed to in the beginning of the case Disclose of information Sony failed to disclose all information concerning consumers in an efficient and fair timeline

ANALYZING THEIR SUCCESSES AND FAILURES Successes: Implemented a variety of new security measures following the breach proving to consumers Sony is dedicated to protecting them in the future Issued an effective letter clarifying timelines and potential plans for the future in digital security at Sony Customer appreciation program offering free movies, music, and 30 day free trials Pledged to regain consumers trust as primary goal Failures: Lacked initial communication in the time it was most vital to consumers Cloudy timeline of events until later clarification by Sony Ineffective communication left consumers questioning the honesty and transparency of Sony

DISCUSSION QUESTIONS 1. Is there more Sony could have done to prevent this case from occurring in the first place? 2. Do you believe there will ever be a world where consumers are completely protected from hackers, identity theft, and privacy problems? 3. In terms of reputation management, how did Sony prove to consumers that they wanted to better their security online?