Last week, Sony was supposed to answer to the folks on Capitol Hill for the major data breach of the PlayStation Network and other affiliated Sony networks. However, Sony didn’t show. In the absence of anyone to speak on Sony’s behalf, Representative Mary Bono Mack dug deep and criticized both Sony and Epsilon for not notifying customers soon enough after the attack.
An anonymous operator of the Databreaches.net website known only as “Dissent” said that he (or she?) is stunned that people are upset that it took Sony a few days to notify the public when a year ago notification within 2 months would have been consider fast. Databreaches.net closely tracks and monitors data breaches.
The fact is that it’s common for companies to wait a few weeks before releasing knowledge of a breach to allow them time to assess the extent of the damage. Sony, on the other hand, released information before they were truly ready, and as a result, had to make a number of corrections that were likely embarrassing to the company.
According to SANS Institute computer forensics instructor Rob Lee, once security experts and forensic investigators are brought in, the extent of the damage is slowly uncovered and is often considerably more than initially thought. The changes in the story are completely normal. It’s the public’s reaction that isn’t.
According to Privacy Rights Clearinghouse director Beth Givens, Sony’s biggest problems were that it confused the customers by going public too early and that it unnecessarily stored old financial data.