I doubt anyone has missed the big news this week.
Okay. It hasn’t exactly been a slow news week. First of all there was the Hereditary Head of State (Tipa corrected me on Dictator) Wedding on Friday night. That one was inescapable unless you unplugged completely, or found a rare TV station that wasn’t pandering… (Hooray for Bill & Ted’s Bogus Journey!)
Then the US government finally won it’s game of Where’s Wally and proved that you cannot hide forever when billions, dare I say trillions, of dollars are spent in finding you.
But the big news that relates specifically to our little neck of the woods are the massive problems that Sony, and now SOE, are having keeping their customer data secure.
If you are one of the very few (a number somewhere around the size of Plank’s Constant) people in the gaming community who haven’t heard what’s happening, the story is a couple of weeks ago Sony was hacked. The hackers gained access to an outdated database of Playstation Network customer data with something like 77 million accounts. That’s bad enough, but in the last couple of days it has been revealed that there were somewhere north of 20 million non-US SOE accounts compromised in addition.
When the initial breach was discovered, Sony shut down the PSN, but still took several days to inform the public. I’m not a PS owner, but I think the PSN is still down. To make matters worse, all SOE games and websites are now offline as a result of the SOE data revelations.
Mission Critical Systems Must Be Secure
First of all, let me say this: Not for one minute is any of this Sony’s fault. It’s the hackers fault, whether they are a script kiddie or a organised crime group, these criminals should bear all responsibility. To blame Sony/SOE as some are doing is akin to blaming a rape victim for dressing provocatively, it’s something that’s just not right.
Having said that, I have to wonder what Sony was thinking, keeping a database of outdated data on an accessible network.
Once the data had been upgraded to be more secure; that’s what it seems happened as the old data stored information in an unsecure format; the old database should have been archived and stored offline. It’s crazy to fix a security problem and then leave the old system still accessible, even if you think it is on a secure network.
Unfortunately, this simple oversight has not only cost the company millions in lost revenue, it has hurt their reputation even more, especially since they dropped the ball when it came to informing their customers when the breach first occured. SOE doesn’t exactly have a stellar reputation, although that is more to do with player perception on how their games are treated by the company, but this will hurt player confidence in how their precious personal data is treated.
How many potential customers will think twice about entering credit card details now?
Who Else Is Insecure?
All this makes me wonder how secure other providers of these games are.
After all, the bulk of the budget in developing a MMORPG is in the game itself. While the websites, forums, and ecommerce systems are important to the ongoing operations of these games I wonder how much effort actually goes into their development. After all, it’s pretty easy to develop a website. Forum and Support software is available as both open source and commercial packages, as is ecommerce software. So it’s pretty likely that many of these systems are simply dropped in and modified to suit the business requirements.
How secure are these systems, really?
The Silver Lining
My guess is that this event has scared a lot of people throughout the MMORPG and gaming industry, and that a lot of additional resources have been devoted over the last few days to check out exactly how secure the ecommerce databases really are.
This can only mean that for us, the player customer, that our personal data will be more secure than ever.
And if it isn’t after this, then perhaps the MMORPG companies can be blamed.