Wednesday, April 27, 2011

Sony and Amazon, Thanks for the Lessons

Wow! What Were They Thinking?

April 20 Sony shut down access to its PlayStation Network and waited seven days to tell its 77-million customers some of their personal information had been stolen.

In fact, when Sony finally did say something, they conceded they discovered hackers were in their system between April 17 and April 19. They didn’t shut down the system for another day and then waited until April 26 to tell their gamers/customers something had gone wrong and an unauthorized person or persons had got away with their names, full address, e-mail address, date of birth, PlayStation/Qriocity password and log-in information, and handle/PSN online ID.

Sony seemed to reluctantly add it is possible the thief also downloaded your password security answers and purchasing history.

You can imagine the outrage from PlayStation gamers. It’s a little hard to tell whether some of them are more irate because they can’t access the Network and play, or because their personal data has been stolen.

But there is no question about the reason for the outrage from U.S. Sen. Richard Blumenthal. The Connecticut Democrat sent a letter to the head of Sony America demanding an explanation why Sony waited so long to alert their customers about the data theft. Sen. Blumenthal told Sony head Jack Tretton, “…it is essential that customers be immediately notified about whether and to what extent their personal and financial information has been compromised.”

To make matters worse, after public criticism when Sony finally did reveal some details, the company came back with an additional comment claiming they didn’t know personal information had been stolen until just the day before (six days after they shut down the network and 9 days after the attack apparently began.)

How could they not know? Why did they not check that first?

The same week Sony was turning off its phones and ignoring e-mail and tweets, Amazon’s EC2 “Cloud” Web-hosting service crashed and took down scores of on-line operations that depend on Amazon to host their services. Some were only getting back on-line 80-plus hours later.

Amazon had very little to say. In fact, a search of the www.aws.amazon.com/ecs website made no mention of the outage, and continued to display this reassurance on the home page:
“Secure – Amazon EC2 provides numerous mechanisms for securing your compute resources.”

I’m not a “compute” expert, so I don’t know if they have a typo on their home page, or “compute resources” means something special.

Amazon and Sony operate in their own world…for the rest of you…don’t do as they do.

If you have a data loss or meltdown, be prepared to acknowledge it as soon as possible, and at the same time, begin reassuring your customers, partners, employees or whoever may be impacted, that you are working on it.

If you’ve caused them harm, express your regrets, and offer to do what is reasonable to minimize the damage you may have caused.

Some lawyers will likely counsel you to keep your mouth shut and don’t take any responsibility for what happened. There may be rare occasions when that is good advice, but most of the time that advice will cost you more in the long run.

You can anticipate all the things that might go wrong with your data handling and storage systems and have a plan, including a communication plan, in place and ready to activate when the disaster strikes.

No comments:

Post a Comment