Sony: just another victim
One of the most interesting aspects of the Anonymous/LulzSec hacking of Sony is the opportunity to observe what effects it might have over time. Now a legal decision in Australia has placed Sony in a position that, I suspect, it finds very agreeable - as a victim.
While most security analysts seem to agree that the hacks themselves were fairly trivial - from both a technical perspective and in terms of immediate damage - the true significance, we were led to believe, would be the effect on Sony’s brand.
Indeed, various Anonymous and LulzSec mouthpieces were keen to point out the reputational damage they had wrought. Time after time, with both the Sony hacks and other high-profile attacks mounted by the groups, we were informed that the whole point was to sully the reputations of the organisations under assault so that customers would think twice about doing business with them.
One Anon told me, in an IRC chat, that the desired result will be that, “people will think twice before they hand over their identities online. That people will stop and say ‘Do I KNOW this data is safe? Do I KNOW no one can hack into this system and use my information against me?’ “
However, this effect relies on one critical factor: it’s important for the general public to believe that Sony was culpable in this matter - that its poor security (and it certainly was poor) was a major contributor to the leak of its customers’ data. In that scenario, hackers such as LulzSec are more of a catalyst than a cause, or at worst the final link in a chain of insecurity for which the hacked company is partly, if not largely, responsible.
But…
I found, when researching an article on hacktivism for Network Security (available on Science Direct - subscription or payment required), that this is not a perception of the Sony hacks that is universally shared. In fact, I concluded that LulzSec’s desire to taint Sony by leaking the company’s databases faced a number of hurdles.
The first is that people forget. Try asking your friends (at least those who aren’t followers of hacktivism) about the incidents and you’ll probably find that many have forgotten all about the hacks, even if they knew about them in the first place.
Sony customers, especially members of the PlayStation Network (PSN) may be more inclined to remember. But I don’t think it’s too cynical to suggest that most of those will be inclined to forgive and forget just as soon as the next cool game comes out. I’ve certainly not heard of any large-scale abandonment of the PS3 platform.
Of course, many people will simply not understand that Sony was in any way culpable in this matter. IT security is a complex and arcane issue. Poor security is hard to explain to lay people. Yet everyone’s heard of hackers, a term now (alas) largely synonymous with ‘criminal’ in the public’s perception.
And so most people who remember that Sony was hacked will simply assume that the poor company was maliciously attacked by bad guys.
The Australian Privacy Commissioner, Timothy Pilgrim, agrees. He’s just ruled that one of the victims of the PSN breach was … wait for it … Sony. His investigations have concluded that Sony was not in breach of the country’s National Privacy Principles - that it was the nasty old hackers who ‘disclosed’ the company’s data, not Sony itself.
As time goes on, the number of people who remember that Sony was hacked will diminish. Given that those who realise the company was partly to blame will be a small subset of that number, and that those who care enough not to give Sony their business is a smaller group still, then Sony can probably rest assured that it is already over the worst.
At least, that’s as far as reputational damage goes. The firm is still facing lawsuits, including several class actions. But all that’s at stake there is money…
