Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
August 20, 2014
arrowPress Releases
August 20, 2014
PR Newswire
View All





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


Sony and Valve: A tale of two hacking responses
Sony and Valve: A tale of two hacking responses Exclusive
February 16, 2012 | By Chris Morris

February 16, 2012 | By Chris Morris
Comments
    31 comments
More: Console/PC, Exclusive, Business/Marketing



Like a lot of people in the gaming world, I got an interesting email from Gabe Newell last week.

The Steam hacking incident of last November, he said, was worse than they initially thought it was. And while there still was no direct evidence that credit card information had been accessed, a backup file containing that information (albeit encrypted) was obtained by the person or persons who had broken into the system.

It was disquieting information delivered in an oddly comforting manner – and while the service has 40 million user accounts under its control, there wasn't a lot of outrage in the forums and throughout the online world. It was a curious juxtaposition to what Sony had faced just a year prior.

During that hack, of course, the level of hostility aimed at Sony was staggering. Players and the media hit the company for its lack of transparency and seemingly unapologetic attitude toward the attack. Large scale game hacking was, after all, a brave new world – and one that no one was really prepared for (something that seems absurd in retrospect).

Was Valve's reaction to its hacking problem truly better than Sony's? Or were there other factors at play?

The answer, I think, is both. It's hard to find anyone who will defend Sony's handling of the hacking incident – including inside the office of that company. But Sony's missteps and stumbles helped other developers and publisher learn what to avoid. And no one learned better than Valve.

When the Steam database was breached, Valve's Gabe Newell sent an IM to users alerting them to the incident, explaining the situation (and what the company was doing) and quickly apologized. That note came four days after hackers hit the company's forums – the first sign of trouble.

Sony, meanwhile, waited six days before giving any real visibility into the severity of the situation – though it did acknowledge the outage and let people know it was looking into things almost immediately. That's not a significantly longer time period, but the company was quickly put on the defensive.

The first formal apology from a Sony official didn't come for another five days, when Kaz Hirai held a press conference in Japan.

Like Valve, all of the bad news didn't hit at once. It consecutively got worse. Just as users were absorbing the PSN and Qriocity music service hits, it was discovered that Sony Online Entertainment was also hit. And then the copycat attacks started coming, this time at Sony Pictures. It was a perfect storm of bad news brought on by hackers looking to latch on to the media blitz.

Valve, hopefully, has reached the end of its road as far as bad news goes. But the fact that it took three months to discover the extent of the breach and notify users was interesting, especially for the lack of reaction.

Valve, of course, encountered its hacking problems with a few advantages. Sony, as a multinational, multi-billion dollar company, had to overcome a reputation of a big, faceless empire. Valve has always maintained a relationship with the community – and ensured its place as a gamer favorite when it reached out to them for help when the Half-Life 2 source code was stolen. Newell has also maintained a direct relationship with is customers – emailing back and forth with them regularly.

This goodwill undoubtedly helped the company when dealing with the fallout of this incident – as did studying the moves of those hit by hackers before it. While Steam's messaging was certainly better worded than Sony's, its timeliness was roughly the same.

But ultimately, I think gamers have gotten over the hysteria of hacker attacks. Rather than obsessing over identity theft or stolen credit card numbers, they now know to put an alert on their credit reports and that they won't be liable for any charges made if, in fact, those card numbers are stolen.

What was so unthinkable a year ago is now commonplace – an annoyance that's worth keeping an eye on, but not worth panicking over.

But how a company handles that is just as important. And you can bet your bottom dollar that EA, Microsoft and any other company that handles credit card data from customers, is taking note on how Valve has successfully negotiated these waters.


Related Jobs

Bethesda Softworks
Bethesda Softworks — Rockville, Maryland, United States
[08.20.14]

Associate Brand Manager
Turbine Inc.
Turbine Inc. — Needham, Massachusetts, United States
[08.20.14]

Software Engineer, Mobile
Bethesda Softworks
Bethesda Softworks — Rockville, Maryland, United States
[08.20.14]

Brand Manager
Nordeus
Nordeus — Belgrade, Serbia
[08.20.14]

Senior Game Designer










Comments


Bart Stewart
profile image
What about the possibility that the affected audiences are different? How people react to events may be as much (or more) determined by who they are as a group than by the external actions of others, such as "how soon did they tell us" or "were they remorseful enough."



In the aggregate, are PC gamers more technically knowledgable, and thus more understanding of the difficulty in defending against data breaches? Are there any hard data that might support or falsify a theory that PC gamers as a group are different from PlayStation/console gamers, and thus might react differently to bad news?



I'm not claiming to know either way. But if we're serious about trying to understand the visibly different reactions of these audiences to similar provocations, I think these are questions that should at least be asked.

Bernardo Del Castillo
profile image
I was going to say the same, I've noticed just out of observation, that console gamers treat their gaming platforms more like a black box.

A W
profile image
For years console have been treated like a black box as Bernardo said, and really that IS what a gaming consoles are. But I think Sony problem stems more for just the hack. Most of the anger started when Sony removed feature from PS3 in an attempt to stop such things from happening in the first place. Some theories abound that the removal of Other OS may have directly lead to the attack, and that may be partially true. I however think now that the hack may have been 2 events instead of just 1. One group of individuals started a protest, and another group of individuals decided to exploit the event.



Now it seems the only reason hackers hack these days is because they want to steal, or at least one group of hackers do it to steal rather than to lol. Whatever the case they are hurting the activist hackers because they are all being seen as one group rather than separate entities now.

Dan Felder
profile image
Personally, I think that the core issue is that Sony was the first time anything like this had happened, and customers were surprised, afraid and outraged. Valve was the second, and by that time we knew this sort of thing could happen so there was less shock and outrage.



Also, I'd guess that people are more likely to give Valve the benefit of the doubt than Sony.

Jason Withrow
profile image
While I think Bart Stewart has a very good point, above, this was my initial reaction to the outcome. I don't want to be the guy who doesn't seem to have read the article (I have) but this really didn't strike me as any more complicated than "Why would we be angry again? We've already been/We're already being angry over here."

Cordero W
profile image
I'm glad this was brought up. After the news that my account had been hacked on Valve, I was immediately registered to another site with the same login information, that site being ign. I was sent an email that I registered there under my steam name, so I went there to see if my login for steam worked there. Lo and behold, it was the exact same information, as if someone was testing my login info. Though it astounds me why instead of sending it to another email unless to dodge suspicion.



I sent emails to both ign and Valve explaining the issue, and of course had my password changed, though valve's way of handling it was just "change your password". It doesn't mean much to me because I never save my vital information on any site, but the way they casually told me to handle it threw me for a loop. At least tell me that you guys are still under investigation for the security breach and an apology would have been nice.



It's just one of those things that really struck a nerve with me.

Harry Fields
profile image
I'd argue the Credit Card #s being encrypted versus plain-text was a big part of the different reactions, too.

Harry Fields
profile image
Could be, I'm just going by the inititial information which would underscore how poorly Sony handled the situation... If the CCNs were encrypted and most (or at least many) of us are still assuming based on original reports that they weren't.... well, that would just be bad bad PR.

Richard Eid
profile image
Credit cards were encrypted according to Sony. It would be a terrible thing for them to not be honest about, because it's not like they couldn't have been proven wrong in seconds. Besides, had they not been encrypted we'd have seen an incredibly massive influx of credit card fraud shortly after the incident took place. Nothing like that ever happened.

Lyon Medina
profile image
@Richard



I think the influx (if one) would come at a later time, hoping that people would have then forgotten about the hack, and not monitored their credit card as carefully.

Richard Eid
profile image
The longer you wait the higher the chance that cards will be expired or cancelled. When card numbers are stolen they usually go up for sale right away to be taken advantage of before they are no longer good.



It doesn't matter, though, because the cards were encrypted.

Mark Ludlow
profile image
This is one of the reasons why Sony's hack got a lot more outrage, because the fallacy of passwords and credit cards being stored in plain text ran rampant and was perpetuated by major sites quoting what people were saying, not stating what the facts were.



The credit card data was encrypted but Sony didn't state that initially, leading people to believe it wasn't. They also phrased their statement about passwords badly, making it sound like they weren't encrypted or protected, when really Sony was saying that they used a different method involving a cryptographic hashing function.

Lyon Medina
profile image
@ Richard



However, that would be contrary to stealing them in the first place. The opportune moment to steal anything is when it is least expected, in order to give you the opportunity get away with the theft. Of course, this is different to someone losing his or her credit card and having an online breach of a secure site.



No one personally knows if it was Sony’s entire network that was affected when the hack went down. Could it be a third, half, or even a tenth of the community or the entire user base that his or her information was tampered during the hack?



Did Sony tell everyone individually? No, they sent out a large mass email saying, hey keep an eye out on your credit cards, and if there is any clues to theft, we will reimburse you for any damages, because our network was hacked. (Paraphrased of course)



If I personally had the information of let’s say 1000 credit cards. I would use them all at the same time when I know people are watching.



In addition, if I thought my Credit Card was in danger of being used without my permission I would watch my statements like a hawk for months. Then eventually forget about it because I have other pressing matters.



Its a weird situation to begin with, and we are so getting off topic. Haha I'll stop now.

Joe Wreschnig
profile image
Although Sony said it was encrypted, Sony had also just had a major implementation failure in their cryptography code, and a history of poor security throughout PSN. Even if I believe that they *tried* to encrypt it, it's awfully hard to believe they did it correctly given their past examples.



A blanket "it's encrypted" really shouldn't be satisfying anyone who cares about security. Encryption implementation is easy to get wrong and unless the encryption protocols are documented and the implementation is open to third-party inspection it might as well be cleartext most of the time.



On this count, I believe Valve is just as bad.

Joe Wreschnig
profile image
"Sony's credit card info was both encrypted, and not stolen."



http://venturebeat.com/2011/04/30/sony-says-10m-credit-card-numbe
rs-may-have-been-exposed-fbi-investigating/



"Sony executive Kaz Hirai said tonight that the number of exposed credit card numbers in the PlayStation Network hacker attack was about 10 million."



The difference between "exposed" and "stolen" is immaterial as far as the practical measures you need to take to prevent and deal with the problem. If they were exposed but not taken, that means incompetent hackers, not competency at Sony - rather the opposite, the more incompetent the hackers, the worse it reflects on Sony's preparedness. I will agree that we haven't seen any major fraud. Which suggests that they were exposed but not "taken", the encryption has held up, and/or the blanket fraud protection methods Sony provided scared off enough people.



"Poor security throughout PSN" refers to the number of games with ridiculous game exploits that opened up once their ECDSA implementation had been broken. The ECDSA crack, the stolen PSN information, client-side sanity checks for multiplayer games, the numerous other low-hanging crackable Sony services - these are all indicative of Sony's lack of security culture and unpreparedness. Sony had no clue what they were doing and if they want to regain that trust, they need to be a lot more open about their current security policies. They're not unique in this respect, but I think they probably are unique in the sheer number of times they have been cracked.

Nou Phabmixay
profile image
"And my bank told me when I went to cancel my card that Sony told them the info was not stolen."



Well, if Sony said so.

Simon Ludgate
profile image
Perhaps another reason for the hostility against Sony was that the hack came after a long series of unpopular moves in regards to the Playstation 3 platform, such as the removal of PS2 compatibility, the ability to run Linux, and various anti-consumer lawsuits. I think there was already a lot of anger and frustration directed at Sony, and the hack was just another reason to vent.

Paul Shirley
profile image
Not just the PS3, many were still regularly bringing up the CDA rootkit outrage.



Sony spent a lot of years creating a lot of enemies, many of them with above average access to news media or direct to a great many followers. They can't be surprised if enemies exploit moments of weakness.



They shouldn't be surprised (but were) that years of douche-baggery had also shredded their reputation in many otherwise disinterested observers.

Michael Gribbin
profile image
If Gabe Newell told me that Valve had accidentally set my house on fire, I'd keep playing Team Fortress 2.



Call me a xenophobe, but Valve is in the US. Sony is in Japan. While Sony is ALSO in the US, as a brand, Sony = Japan. This makes them feel physically distant to me, and that makes issues of security inherently more... tense. Especially when transparency is an issue.



Now if we could see how Japan felt about the Sony hacking versus how Japan feels about a US company that has all their info being hacked, it would be interesting.



But to do that, Japan would have to use US products and services! Ho ho ho.



(disclaimer: I know they do.)

Darcy Nelson
profile image
You're a xenophobe.

Ron Dippold
profile image
Since nobody's mentioned it yet, there's also the Microsoft response - 'Hacking problem? What hacking problem?'



You might argue that exploiting Live's login weaknesses to break into individual accounts is not really the same as getting inside and stealing the account database - but it's also the only one of these three cases in which thousands of users have lost $40 to hundreds of dollars each. MS seems to be consistent about refunding this after a month long investigation, but their response has consistently been that there's no problem, move along.

Trenton Ng
profile image
As a few people have mentioned, PSN's service was entirely down when the hacking occurred which disabled the use of: buying games, playing online, accessing programs such as Netflix, and playing internet required single-player games (such as Bionic Commando Rearmed 2 from what I heard) among other things. Also, little information was given by Sony and this left the community in the dark which probably caused the incident to sound even worse as media and word of mouth started talking about it. Valve addressed their problem as promptly as possible and I suppose the great number of hacking incidents in the past year has taught us to take it a bit more calmly rather than go hysterical.



Sony was hit hard with information breaches and system hacks, yet they survived through it and handled it the best they could. They didn't "have" to give anything to all players as the service was free to begin with (unless registered as a Sony Plus member) yet they did so and ensured that they were still going stick with the community and ensure that PSN wasn't going to be a lost cause.



It'd be nice if these incidents would cease, but it doesn't seem like it will...

Bob Johnson
profile image
Maybe also the media's fault. I had no idea about the Valve breach and I regularly visit gaming sites. I haven't been on Steam in awhile though.



You couldn't escape Sony's breach. News of it was everywhere.



I would also add that the language/culture barrier didn't help Sony either. And it didn't help that they were first. It is difficult to get as outraged the second time around. It is harder to blame the victim company at least.

Heng Yoeung
profile image
Might it be the case that some wanted to see Sony fail? Why? Well, I have read that some have expressed that Sony had been a company that's become "arrogant", which, frankly, I don't know how anyone can come to that perception. Personally, I had no idea that Sony had beome arrogant. Maybe I'm just not in the know. It's not unusual that people like to prop other people on a pedestal and then knock them down. It's the part of the human psyche that likes to laugh when people fall down. I think that's part of the reason for XBox's success this generation. Sony being too successful is a bad thing. Therefore, migrate to Xbox. I'm not saying that this is the only reason XBox is successful. I'm saying it's one of the reasons.

Glenn Sturgeon
profile image
If you ask me a big part of the reaction differance is "pc people" have dealt with hacking, viruses, phishing and so on. Being a bit more aware of the hostility of the web may have tuffened our skin a bit.



I think another part of the differance in the psn and steam reaction could be at least steam accepts paypal so its alot easier to buy digital without sending your CC info to valve. With psn its a bit of a hassle to go out to a retail box and get points cards. Either way i still think people should learn a lesson in not releasing thier cc data to web sites and not sending it across the web if possible.

With that said, I noticed today PSN(now SEN) still dosen't have paypal support. IMO this pushes average joe's to put thier CC info on the sony server and makes it alot less likely for someone like me to buy much of anything on psn due to the inconvienance along with i'd rather not top off digital title prices with (retail) tax.



This story reminded me of seeing this earlier this week, speakin of a horribly ran website, dosen't MS have standards for any company that runs its "Trade mark MS branded" web sites? http://www.tomshardware.com/news/Microsoft-Store-India-Hacked-Bre
ach-Passwords-Stolen-Plain-text,14688.html

Joe Wreschnig
profile image
Unless I have a recurring subscription there is no reason PSN/SEN or Steam needs my credit card details on their server, nor Paypal. Store it on my machine encrypted with PBKDF2. Ironically I believe Nintendo is the only company that has figured this out - last I heard the 3DS CCN storage was entirely local - although I doubt they're doing it as securely as they could be.

Rob Wright
profile image
I have to say, I wasn't entirely thrilled with how Valve handled the hack disclosure. Sure, they made multiple announcements on Steam, but Valve has my email address and for those folks that weren't on Steam at all for a couple weeks, it would have been nice to get an email alert or something from Valve. I don't know about anyone else, but I never got anything -- and I receive plenty of other Valve/Steam emails.

Joe Wreschnig
profile image
Indeed, I've not logged onto Steam in about a year, and I assume my account is still there, but I've gotten no communication from Valve at all. No one's talking about the Valve hack because Valve isn't telling most of the compromised accounts, or the number of compromised accounts is hugely smaller than just "Steam users."

Kale Menges
profile image
Personally, I think it just comes down to each company's "corporate identity". Sony has a reputation as a relatively soulless mega-corporation that has its tentacles in all kinds of industries and products. As big as the company is, there was a sense of consumer entitlement for sophisticated security and when that broke, consumers felt somehow betrayed or lied to. Valve, on the other hand, is a game developer, albeit an extremely successful one, is considerably smaller than Sony and as a company has always had a sense of intimacy with its vast audience and user-base. That relationship created a different set of expectations for a similar situation.

Jonathan Murphy
profile image
My account data has been compromised on EA, Sega, Eidos, SoE, Steam, and other places last year. Most of those websites had my job hunting info. Hackers have been ignored for far too long. This outcome was inevitable.

Isaac Chandler
profile image
I wish I could check my Steam account to see if it got hacked, but sadly I can't login. Apparently I don't know the answer to my security question and I can't remember my password. Oh well, good excuse to get a different account I guess.


none
 
Comment: