The Worst Case Scenario

Image: Ars Technica

SOE hasn’t had a good month already, and yesterday it got a whole lot worse.

The crisis at Sony deepened on Tuesday as it admitted that an extra 25 million customers who played games on its Sony Online Entertainment (SOE) PC games network have had their personal details stolen – and that they were taken before the theft of 77 million peoples’ details on the PlayStation Network (PSN).

The electronics giant said the names, addresses, emails, birth dates, phone numbers and other information from PC games customers were stolen from its servers as well as an “outdated database” from 2007 which contained details of around 23,400 people outside the US. That includes 10,700 direct debit records for customers in Austria, Germany, the Netherlands and Spain, Sony said.

The hack resulted in SOE’s games going dark – and they still are dark. Combined with Sony’s PSN network going down for what is no doubt frantic retooling, and you have easily the worst case scenario for a company that bases its income off running an online service. If you don’t have an online service, and can’t collect money for it… well, there’s really not much point, is there?

Writing as someone who also works on the periphery of similar issues – as best as I can tell, there is no silver bullet that wasn’t chambered, no best practices that SOE inexplicably ignored. The hell of it is, and what the wider world is discovering, is that online security is a dark art, and sometimes the black hats win. About the only mistake that SOE apparently made was leaving a years-outdated database of credit card information mistakenly accessible to the outside Internet – and it was enough of one to shut the company down.

The inevitable lawsuits are of course already spooling up, but the real cost for Sony will be in user confidence. Who will want to enter their credit card into Sony’s database? Even the most casual of consumers has heard of this. There’s no stuffing the genie back into that particular bottle. The barrier to cross for convincing a new player to enter payment information – already the highest hurdle for an online game company to achieve – is higher now because of this. Confidence has to be restored, and fast.

One way to do this would be for online gaming companies to embrace more often using data brokers such as Paypal. When I pay for a subscription to, say, Rift, Trion never sees my credit card number. I run through a Paypal gauntlet, am validated, give Trion permission to bill me, and there it is. At no time are my CC digits crossing the digital divide, allowing me to affect an air of smugness.

Until Paypal gets hacked.