I don't understand what you're trying to argue here. If we replace Sony with any other company, everyone would react exactly the same? Yes, I think they would. I think we'd make fun of any company that react to a security breach the way Sony did. And, frankly, if Bank of America took a week to notify customers that credit card information had been stolen, they'd be in front of a Grand Jury by the end of the month, forget a silly class action suit.
Lol about that last bit. Yeah basically that was my point but I guess we should really look into the story with what we have instead of speculating... From what I read, it took around 6-7 days for Sony to understand first of all: "What had happened" second after learning that they had a breach: "What went wrong" and then learning that it was a information robbery: "What was stolen".
Maybe 6-7 days is too long but to be honest I'm not a security expert. I don't really know how long it would take me to know what exactly happened, if I ever find out what transpired.
A multimillion company has a lot more advantages but it doesn't make them the best... Maybe they had multiple layers of information to go through to see what was really compromised... Unless we have the... say... transcript hour per hour, day by day of their process learning exactly how long it took for them to know what had happened I'm willing to give them the benefit of the doubt.
Also before I forget. You have to confirm what truly happened... If you go 1 hour after shutting down the PSN and say (without any proof, clues or facts): "Hey, all your info is compromised. Cancel your CCs just to be safe" And then it turns out nothing really happened a lot of people would be pissed off. With good reason... But anyway that's my view.
While I agree with the gist, I think in execution, Sony did it poorly. Let's assume that Sony has the best security in the world, and let us assume that the fastest anyone can verify an intrusion of this magnitude is a week. Basically, we remove any technical fault of Sony's. So, they discover the breach in the fastest possible time, investigate the breach in the fastest and most thorough manner, and know exactly what was taken in the shortest amount of time. Once they collect all of this data, they announce it to their customers.
The question then becomes, is this method of security good enough? Technically, it's perfect, but is that enough? I would say no. And here's why. A lot can happen in a week. By the end of a week, your credit card could be maxed out. It could be used in a way that gets you into trouble (buying explosives, for instance). If I wanted to kill someone, having a stolen credit card would be a great way to get the weapon. And most people do not check their statement daily, or even weekly.
So Sony customers went a week without any official announcement that there was a possibility of credit card theft. Would an announcement "We have suffered a security breach and are investigating it. Please be aware of the following concerns until we fully investigate the issue and determine what was stolen" at the beginning have been that bad for Sony? It would have alerted the public of a possibility, maybe started some outcry, and then people would pay attention to their credit reports. Then, after the investigation is complete, the final verdict on keep or cancel your card can be made.
The only reason not to make this announcement is PR. Sony hopes to discover that there was no serious theft, so after a week they can say "We suffered a breach, but our security held" and everyone thinks "good for them." But instead its, "We didn't tell you a week ago, but your credit card has been compromised" and it's a disaster.
The better method would be mine. You make the early announcement, people get wary and there is some shaken confidence. Then, a week later, either A. you find out it is the worst case scenario and everyone goes "Yeah, I sorta figured this was coming. At least I was able to prepare for it" or B. you find out that nothing too bad happened and everyone thinks "Oh, that's awesome, good security there."
The point is, Sony once again showed that they don't trust their consumers. Sony left them in the dark about important issues in order to protect Sony's image, and it backfired. Sure, crackers are at fault for the incident. But Sony's mishandling of the situation and serious risk they put their customers in is their own fault. Even assuming that they had a perfect security system, which I rather doubt.