SmartMoney Blogs

Pay Dirt
A daily look at what we buy, how we spend, and the companies that do right - and wrong - by their customers.

Dear Sony Customer: 5 Ways To Read Bad News

The letter begins politely as all letters do delivering bad news. Sony’s came with those three little words at the top: “Customer Service Notification.” That’s when you should sit down. It’s usually all downhill from there. Announcements like these informing you that your data has been breached are becoming all too common.


Sony’s missive addresses customers thus: “Dear Valued Sony Online Entertainment Customer.” That’s humble, polite, dignified: 10/10 for a good start. In short, the letter says that the data breach of 77 million PlayStation users now extends to 24.6 million Sony Online Entertainment customers, so a contrite opening was important.

Jonathan Bernstein, president of Bernstein Crisis Management, was put off by the technical and sometimes confusing “corporate-speak” in Sony’s letter. “The theft itself undermines Sony’s perceived competency,” he says, “but I think they did a good job, overall, of factually communicating how they were getting back on top of the situation.”

Pay Dirt has already given some rules of thumb for customers whose information was breached as a result of the data theft at marketing company Epsilon. There will be an increasing amount of letters like these from other companies in the months and years to come, so here are the top 5 tips on how best to translate them.

1. When will the data breaches end?

“Our ongoing investigation of illegal intrusions into Sony Online Entertainment systems has discovered that hackers may have obtained personal customer information from SOE systems.”

Translation: A spokeswoman for Sony says the investigation is ongoing. This latest discovery happened on May 1 and the company told customers the next day, so it has been quick out of the traps with this update on its data breach. In this case, it’s good for bad news to travel fast. The sooner we know the truth, the better.

2. Have our details been stolen?

We are today advising you that the personal information you provided us in connection with your SOE account may have been stolen in a cyber-attack. “

Translation: There’s one thing that’s possibly worse than being the victim of a crime, and when you are not sure if you are a victim or not: you see a vase lying upturned in a laundry basket when it should have been sitting on the mantel. Certain databases have been breached, but not all information therein may have been stolen. The two announcements are the cyber equivalent of realizing your TV was stolen and, on closer inspection, discovering that your favorite pair of earrings are missing too (24.6 million pairs in this case).

3. Why is my password “hashed”?

“Stolen information includes, to the extent you provided it to us, the following: name, address, email address, gender, birth date, phone number, login name and hashed password.”

Translation: Technology blogger Joe Manna says “hashed” means that the cyber criminal may be able to decrypt it later. On the upside, Sony says there is no evidence that its main credit card database was compromised as it’s in a separate secure environment.

4. How did this happen?

“We greatly appreciate your patience, understanding and goodwill as we do whatever it takes to resolve these issues as quickly and efficiently as practicable.”

A spokeswoman says they were “very sophisticated perpetrators.” (That won’t necessarily make customers feel any better.) Sony also says it has engaged a recognized security firm recognized security firm to conduct a full and complete investigation into what happened; the spokeswoman says some of those sensitive security details will remain confidential. Manna says, “It’s just a guess, but it appears they have no idea who executed the attack. This seems to be par for the course of compromises recently.”

5. What can customers do now?

“When Sony Online Entertainment’s services are fully restored, we strongly recommend that you log on and change your password.”

Translation: Yes, but you can’t change your date of birth. In future, if a company requires information for identification purposes only give a false date of birth, or phone number for an old prepaid phone. And whether you are a Sony customer or not, never give your personal details to anyone who emails or calls.

Pay Dirt readers, what do you think of Sony’s response?


We welcome thoughtful comments from readers. Please comply with our guidelines. Our blogs do not require the use of your real name.

Comments (0)

    • Be the first to leave a comment on this blog.

About Pay Dirt

  • Pay Dirt examines the millions of consumer decisions Americans make every day: What to buy, how much to pay, whether to rave or complain. Lead written by Quentin Fottrell, the blog examines these interactions, providing readers with news, insight and tips on shopping, spending, customer service, and companies that do right – and wrong – by their customers. Send items, questions and comments to or tweet @SMPayDirt.