PlayStation Network's 24 days of downtime | 10 Years Ago This Month
Sony's 2011 hack was covered as one of the biggest security breaches of all time, but how significant was it in the long run?
The games industry moves pretty fast, and there's a tendency for all involved to look constantly to what's next without so much worrying about what came before. That said, even an industry so entrenched in the now can learn from its past. So to refresh our collective memory and perhaps offer some perspective on our field's history, GamesIndustry.biz runs this monthly feature highlighting happenings in gaming from exactly a decade ago.
More like PlayStation Notwork
On April 20, 2011, the PlayStation Network went down.
It didn't seem like a big deal at first. After all, outages on various gaming networks are semi-common to this day, and the PlayStation Network of 2011 was not exactly known for reliability. The timing was unfortunate, coming right on the heels of anticipated PS3 releases like Portal 2 and SOCOM 4: US Navy SEALs, but frustrated gamers could no doubt find something else to do, get a good night's sleep, and give those games' online functionality another shot the next day.
Unfortunately, the next day Sony gave its first real indication that this was not a normal outage, while still managing to grossly understate the problem.
"While we are investigating the cause of the Network outage, we wanted to alert you that it may be a full day or two before we're able to get the service completely back up and running," it said.
"A full day or two" came and went without Sony restoring service or explaining what had happened. After five days, the company finally confirmed the service had been taken offline as a result of a security breach, with the personal info of more than 77 million registered PlayStation Network and Qriocity users stolen as a result of "an illegal and unauthorized intrusion."
The PlayStation Network would be down entirely for 24 days. Beginning May 15, Sony gradually restored the service over months, with some regions like Japan having some functionality offline for as long as 76 days.
While it was an unprecedented stretch of downtime (and lapse of security) for a major gaming network, it was not entirely unanticipated. Indeed, just a few weeks prior, hacker group Anonymous had warned Sony that it had planned a series of attacks against the company as retribution for its legal pursuit of hackers who cracked the PS3's anti-piracy measures in 2010.
While Anonymous denied involvement in the attack, Sony pointed a finger its way when executives were made to testify before the US House of Representatives. In a letter to Congress, Sony's Kaz Hirai said Anonymous had been executing denial of service attacks on Sony's servers prior to the PSN hack. Additionally, he said that when Sony Online Entertainment suffered a similar breach with nearly 25 million compromised accounts in the wake of the PSN outage, the intruders planted a file on a Sony Online Entertainment server "named 'Anonymous' with the words 'We are Legion.'"
Sony also vowed to "proceed aggressively" against the hackers responsible and bring them to justice. We asked Sony representatives last week to check whether the company was ever successful in that pursuit, but never heard back.
So what was the outcome? Well, there were a lot of class-action lawsuits, and Sony settled them for $15 million. Well, not $15 million actual dollars. $15 million worth of a limited selection of free downloads of PS3 and PSP games and themes that cost Sony basically nothing to hand out. And according to court filings, $2.75 million in actual money paid to the lawyers running the class-action suits.
Sony also paid for 12 months of an identity theft protection service for PSN subscribers, which is an odd half-measure because that's not really how identity theft works. Much of the information stolen could still be used by bad actors to this day. Even outdated information like former addresses provide answers to identity challenge questions from banks or credit reporting agencies, leading to consequences more dire than simply having a credit card number stolen (where the user is typically not liable for fraudulent purchases).
While some were throwing around drastic numbers about what the hack could cost Sony, Wedbush Morgan analyst Michael Pachter offered a depressingly accurate take just days after it happened, saying, "If they offer some free stuff and continue to follow up, this will all be forgotten in a few months."
It's been 10 years now, and while it's a stretch to say the PSN outage has been forgotten, it's difficult to say what kind of long-term influence it's had on the industry, or even Sony itself. While we haven't seen another catastrophic failure on PSN user security, I'm not entirely sure how much of that is due to Sony's efforts. I mean, the company would go five full years from the outage before confirming that it was finally getting around to adding two-step verification to PSN. (Xbox added it in 2013; Nintendo lagged as it often does in anything online-related, rolling out two-step verification for the Nintendo Network in 2017.)
When the PSN hack happened, it was often described in the press as one of the largest data breaches in history. It's much less so now, as security breach tracking site Have I Been Pwned has details of dozens of security breaches involving more than 77 million accounts, including plenty of tech-savvy operations one would hope to be better about security.
Adobe had information for more than 153 million accounts stolen in 2013. LinkedIn lost 164 million email and password combinations in 2016. And as we found out just this month, Facebook patched a security vulnerability in 2019, but not before the personal information of more than 533 million Facebook users around the world had been swiped.
The PSN hack isn't even the biggest data breach in gaming anymore. In 2019, Zynga reported that hackers stole account information belonging to Draw Something and Words With Friends players.
"Cyber attacks are one of the unfortunate realities of doing business today," Zynga said in announcing the breach -- downplaying its failure to secure customer information, neglecting to mention that 173 million users were affected by its failure, and summing up the apparently defeatist attitude towards the subject so many companies have today.
Looking back on the PlayStation Network hack, I can't help think the real lesson companies learned was that compromising the safety and security of millions of your customers is only a truly big deal if it takes your service offline for any length of time.
GameStop goes digital
Just in case you haven't been following the drama, GameStop has undergone a slow-motion shareholder revolt over the last year. It appears to be nearing its conclusion, as the activist shareholders have essentially seized control of the board of directors and are ready to pick out a new CEO.
So what's the new management's plan to save a brick-and-mortar second-hand game seller in an industry increasingly turning to digitally distributed games that can't be traded or sold? Well, the company has been a bit vague on that front, saying it's going to transform "into a technology business" and hiring a slew of former Amazon executives to help it get there.
It's such a simple plan you might wonder why the retailer waited so long to try it. Well, they didn't.
GameStop has been aware that its role within the industry needed to change for years. In fact, 10 years ago this month it was busy working at just such a transformation to digital.
One year after the iPad's debut, GameStop was convinced about the potential of tablet gaming, and expressed its determination to get in on that market. It opened a storefront on Facebook. It acquired PC digital distribution service Impulse and cloud gaming company Spawn Labs. The intention was to offer "a wide selection of high-definition video games on demand on any internet-enabled device," which continues to be a popular ambition given the Stadias, Lumas, and Game Passes of the world.
(Seriously, brick-and-mortar game retailers have never been ignorant to the long-term threat digital distribution posed to their business, or the need to adapt. It's been 20 years since Electronics Boutique launched its short-lived "streaming" PC game rental site EB1.)
While GameStop made all the above announcements in April of 2011, it had actually laid the groundwork for this a couple years earlier. GameStop launched its $100 million GameStop Digital Ventures push in 2009 with aspirations to create "a world class e-commerce and digital business platform that fortifies our leadership in the multi-channel videogame entertainment industry." The next year it acquired browser gaming portal Kongregate.
The company was so confident 10 years ago this month that it told investors it was targeting $1.5 billion in digital revenues by 2014.
As you might be aware, none of this ended particularly well, and it fell far short of that $1.5 billion target. The company's 2014 annual report put its digital revenues at $216 million, which might help explain why it shuttered Spawn Labs and retired the Impulse branding that year. It held onto Kongregate until 2017 before selling it to MTG.
In fact, around that time investors got fed up with GameStop's performance and began pressuring the company to give up on its efforts to diversify the business. GameStop complied, selling ancillary divisions like Spring Mobile and Simply Mac as it re-focused around its core gaming business.
It turns out the long-term prospects of a core gaming retailer are still pretty grim, which basically brings us back to the past year and shareholders once again yelling at GameStop. Well, now the upset shareholders are running the show, and I for one am eager to see just how they address what seems like an increasingly inexorable slide for the retailer.
Good Call, Bad Call
GOOD CALL: Puppy Games' Caspian Prince, talking in an interview about the illusory nature of indie developer gold rushes: "By the time you hear about the gold rush, whatever it is that was making people rich has been milked dry.
"In the last ten years, several fads have come and gone. There was Facebook games, that came and went because Zynga sewed that up. Casual games was the big thing in 2004 or 2005, but Big Fish sewed that up. Hidden object games shortly after. I think iOS is the latest fad, but of course now we've heard about everyone getting rich on it, it's a dead cert that if we port anything to iOS there's going to be no money in it."
We double-checked with Prince this week and he confirmed that Puppy Games never released an iOS title. However, it did bring Titan Attacks to Android, where he said it "made the square root of bugger all." Puppy Games is still working on new games, but I wouldn't expect them to show up on mobile.
BAD CALL: Sony went out of its way to avoid saying it had discontinued the PSP Go after changes to the Sony Store website first hinted at it, going so far as to release a non-statement to Eurogamer saying, "It is a very exciting time for PlayStation portable devices."
A day later the company would confirm to the Japanese press that the PSPgo had been axed. It's nice to now that 10 years later, Sony is still a firm believer in pulling Band-Aids off slowly to maximize suffering, letting unverified reports of the PS3, PSP, and Vita store closures kick around for the better part of a week before admitting they were 100% true.
GOOD CALL: At the National Association of Broadcasters conference, Avatar director and 3D enthusiast James Cameron rightly pointed out, "One of the big barriers to 3D right now is that you have to wear glasses in the home. Home viewing is very different than movie theatre viewing. I don't think we'll ever get rid of the glasses in movie theatres. Not in my lifetime, anyway, but we're going to get rid of them at home because it's a different viewing model type."
OK, maybe we don't have 3DS-like glasses-free stereoscopic 3D TVs at home like Cameron expected, but we don't have 3D TVs at all now, so he was technically right about us getting rid of the glasses.
BAD CALL: PlatinumGames president and CEO Tatsuya Minami complained about the wanning influence of Japanese game developers, saying, "Series grow ever-longer; original titles are on the decline. Games with new at their core are disappearing. Japanese games that garner worldwide acclaim are slipping away."
We've covered the overly dire assessments of Japanese game industry of this era in Good Call, Bad Call before, but Minami's quote about the lack of originality is interesting considering Platinum's output to that point had been exclusively original titles.
However, since that warning, Platinum's released console projects have consisted of MadWorld spin-off Anarchy Reigns, Metal Gear Rising: Revengeance, Bayonetta 2, The Legend of Korra, Transformers: Devastation, Star Fox Zero, Teenage Mutant Ninja Turtles: Mutants in Manhattan, Nier: Automata, and just a pair of originals in The Wonderful 101 and Astral Chain.