Sony and Valve: A tale of two hacking responses
Like a lot of people in the gaming world, I got an interesting email from Gabe Newell last week.
The Steam hacking incident of last November
, he said, was worse than they initially thought it was
. And while there still was no direct evidence that credit card information had been accessed, a backup file containing that information (albeit encrypted) was obtained by the person or persons who had broken into the system.
It was disquieting information delivered in an oddly comforting manner and while the service has 40 million user accounts under its control, there wasn't a lot of outrage in the forums and throughout the online world. It was a curious juxtaposition to what Sony had faced just a year prior.
During that hack, of course, the level of hostility aimed at Sony was staggering. Players and the media hit the company for its lack of transparency and seemingly unapologetic attitude toward the attack. Large scale game hacking was, after all, a brave new world and one that no one was really prepared for (something that seems absurd in retrospect).
Was Valve's reaction to its hacking problem truly better than Sony's? Or were there other factors at play?
The answer, I think, is both. It's hard to find anyone who will defend Sony's handling of the hacking incident including inside the office of that company. But Sony's missteps and stumbles helped other developers and publisher learn what to avoid. And no one learned better than Valve.
When the Steam database was breached, Valve's Gabe Newell sent an IM to users alerting them to the incident, explaining the situation (and what the company was doing) and quickly apologized. That note came four days after hackers hit the company's forums the first sign of trouble.
Sony, meanwhile, waited six days before giving any real visibility into the severity of the situation though it did acknowledge the outage and let people know it was looking into things almost immediately. That's not a significantly longer time period, but the company was quickly put on the defensive.
The first formal apology from a Sony official didn't come for another five days, when Kaz Hirai held a press conference in Japan.
Like Valve, all of the bad news didn't hit at once. It consecutively got worse. Just as users were absorbing the PSN and Qriocity music service hits, it was discovered that Sony Online Entertainment was also hit. And then the copycat attacks started coming, this time at Sony Pictures. It was a perfect storm of bad news brought on by hackers looking to latch on to the media blitz.
Valve, hopefully, has reached the end of its road as far as bad news goes. But the fact that it took three months to discover the extent of the breach and notify users was interesting, especially for the lack of reaction.
Valve, of course, encountered its hacking problems with a few advantages. Sony, as a multinational, multi-billion dollar company, had to overcome a reputation of a big, faceless empire. Valve has always maintained a relationship with the community and ensured its place as a gamer favorite when it reached out to them for help when the Half-Life 2
source code was stolen. Newell has also maintained a direct relationship with is customers emailing back and forth with them regularly.
This goodwill undoubtedly helped the company when dealing with the fallout of this incident as did studying the moves of those hit by hackers before it. While Steam's messaging was certainly better worded than Sony's, its timeliness was roughly the same.
But ultimately, I think gamers have gotten over the hysteria of hacker attacks. Rather than obsessing over identity theft or stolen credit card numbers, they now know to put an alert on their credit reports and that they won't be liable for any charges made if, in fact, those card numbers are stolen.
What was so unthinkable a year ago is now commonplace an annoyance that's worth keeping an eye on, but not worth panicking over.
But how a company handles that is just as important. And you can bet your bottom dollar that EA, Microsoft and any other company that handles credit card data from customers, is taking note on how Valve has successfully negotiated these waters.