Sony – are they really treating their loyal customers with respect?

Today I got this email:

Tell us what you think of PlayStation® apps/services

Dear Alex

We value your opinion. Please help us by completing a short survey on your views on some PlayStation® apps/services. The questionnaire should take 5-10 minutes to complete.

Simply click on the link below to take part…

http://survey.euro.confirmit.com/wix/p999999.aspx?r=9999&s=IVQKWILF

(If you encounter problems with the link please try copying it and pasting it into your browser’s address bar)

Please note that this survey is being conducted by an independent research company, Join The Dots Ltd. If you have any problems with the survey itself, please contact andy.smithATjointhedotsmr.com. Join The Dots subscribes to the MRS code of conduct and would therefore like to assure you that your answers are completely confidential and that your responses will not be passed onto anyone at an individual level.

Thank you very much for your help.

The PlayStation® Team

I really don’t know what it is about Sony’s thinking.  I guess it is a valid email but I seem to have got a lot more of these type of emails since Sony was hacked.  Additionally there is nothing in the main ‘survey’ that actually links back to Sony’s official website, what point there is in anyone taking it, or what their reasons are for making it.  The footer section looks like it was from a Sony newsletter though, with the usual gubbins.  If it is from an official Sony survey, then it’s really poor.  I’d advise anyone not sure about it, just to delete it.

Are they really testing to see how gullible, or willing to divulge personal information without any sort of reasonable justification we all are?  It does irritate me that they continue to disregard the sanctity of personal information.  After all, it wasn’t 5 minutes after they went live after the site went down before they ‘realised’ (someone warned them) that their password reset process had a fundamental vulnerability.

Back in the 21st of May I wrote an email to Sony expressing my concerns.  Not necessarily objective or completely rational and considered as I was a little annoyed at the time, but it was how I thought at the time:

Firstly I do want to thank everyone at Sony for (eventually) being open and candid about the attacks and progress to getting it working again.  I’ve been following the blog and all updates that I could to track progress.

So when I was able to change my password, I did so as soon as I could.

However it didn’t go smoothly.  I tried several times and every time I either got a server time-out problem or got the same error code that happened before the “psn is down for maintenance” error.  At no time did it say that my password change was successful, on my Playstation.  While I was trying, I did get an email stating that the password change was successful… although I never got that message on my Playstation.

I am able to log in successfully now, but it worries me that you subsequently stated that there was a vulnerability in the URL for password resets.  I’m sorry, but I work in website development, and that is such a fundamental and inexcusable omission, especially after spending so long to get things back up and running.

I’m also concerned that Sony’s own home country isn’t willing to allow the network to go live until they are absolutely happy with it.  Yet, you launch it in the UK and several other countries and immediately there is another vulnerability.  It’s simply not good enough.

As for your Welcome Back package… it’s a nice gesture, sure, and I understand that it’s impossible to keep everyone happy, but…

Your most valued customers are those of us who have been loyal to Sony.  I’ve had a Playstation 1, 2 and now the PS3.  I regularly buy online games and commercial games, and always buy any game that I’m interested in usually as quickly as I can.  Therefore offering 2 games from a limited selection of existing titles is a meaningless offer to someone who either already has them or has no interest in them.

The extra month’s subscription is also moot as the network was down for one month, and I heard it’s expected that the market will be down for another week or two, so there’s no benefit for me there.  I pay for Playstation Plus for the benefits in the service, rather than any online gaming, so I’m getting absolutely nothing from that either.

Then there is the fraud protection scheme.  Thus far you have only provided us with details on companies.  I know this is a complicated process, but it’s one that’s going to cost me money, and I imagine Sony get referral commission on, so again this is a valueless offer.

I’m already getting spam sent to me with my own full name.  I’ve never had spam get through Google’s filtering (it’s genuinely very good) until now, and it’s too much of a coincidence to assume that it’s anything other than data obtained illegally via your hacked data.  And actually, again as a web programming professional, the notion that you had unencrypted passwords (encoded or not) is absolutely unthinkable.  Calling it negligent is being far too kind.

So, I can I ask of you a few things, please:

• That we are all able to change our online usernames (i.e. change mine from user123 to something else) free of charge.  I’ve heard this is available in Japan, so I have no idea why we can’t do that here too.  I personally see this now as a necessary additional security step.  I hope that you share my opinion.
• I want reassurance that my account wasn’t hacked again while I was trying to reset it (and getting the error messages on my Playstation).  I also want unbiased and professional support to protect the data I have and to properly assure me that I’m as safe as can be from identity theft / fraud, etc.
• I’d suggest that as an option in case someone (a loyal customer) isn’t interested in any of the free titles on offer, that either a cash value that could be used in the Market, or discount codes that could be used for any online games.
• I also suggest that you somehow need to convince us in the UK (and other countries) as much as you do for the Japanese government that our data is safe with us.  As it stands you have already lost the data that could potentially destroy the lives of your users through identity theft, fraud, phishing scams, etc, etc.  The password reset vulnerability, and hacked website have done a lot more damage to our trust…
• Also, can you please provide detailed information (on your blog) to users that may not know the intricacies and scope of the breach – how they can help secure their other accounts, etc. Many ordinary people don’t understand about “phishing” “spam”, etc, so they need to know exactly what was stolen, and how it could be used illegally, and how they can best act to prevent that from happening.  Other websites and companies have provided advice, but I think it’s best to summarise that candidly.  The fact that you’ve stated that “credit card data may have been stolen” means that one should assume that it HAS been stolen, and may well be used if/when it’s deciphered by whomever gains access to it.  Even if no card data has been abused for months afterwards, it’s no guarantee that it will never be used…

The damage done is not just to Sony.  It’s to all your millions of loyal supporters and those of us that love games.  I don’t blame anyone at Sony for the problem, even though there was obvious negligence that has taken place, it’s a harsh lesson to all companies that run services online and rely on the internet for commerce.

It’s not what has been done that could destroy Sony, but what you do now.  So please do the right things for us.  Show us your commitment to us, and that our loyalty is rewarded.

Thanks for your time reading this,

Yours Faithfully,

I haven’t had a reply from them…