Share this content

What CRM lessons can we learn from Sony's PSN crisis?

12th May 2011
Share this content

Sony's network breach has been huge news and it is threatening to cause long-term damage to the Sony brand, particularly in light of criticism over its handling of the attack. So what can we learn from this crisis?

It has been a nightmare three weeks for Sony. Not only has it had to contend with the financial implications of shutting down its PlayStation Network following a major security breach, but it has also had to face up to the reputational implications heralded by its much-criticised response to the hacker attack.
Sony has confirmed that up to 100 million online accounts could be impacted by the breach – with personal data from 24.6 million user accounts stolen in last month’s attack, and potentially data including credit card numbers also having been stolen from another 77 million PlayStation accounts.
Sony Computer Entertainment Inc is hoping that it will be able to fully restore its PlayStation Network by the end of May, having initially shut it down following the breach, a lockdown that has prohibited gamers worldwide from being linked into live play or upgrade and download games and other content.
But even if normal operations are to resume later this month, the question is whether the damage that has been done to Sony is irreparable. In particular, Sony has come under fire for its handling of the attack, having failed to notify consumers of the breach until April 26 despite the fact it had been investigating unusual activity since April 19.
"There is a saying – often cited to the first Blair government that if a story remains in the press for over 11 days then there is permanent damage done. The situation with Sony may not rest on a political scandal, but it is a story that will not go away," says Richard Merrin, MD at Spreckley Partners (PR) in London. 
"The question therefore is why? And that has to be down to the initial way the company responded to the incident, or more accurately the way it did not respond. And this is the reason behind the damage to its brand. It appears to the outside world that it kept quiet for over 10 days. Was this down to corporate culture? To a belief that the issue would go away? That it was not deemed serious enough? Or was it in fact as a direct result of the tragic events of the recent Tsunami and a real desire not to heap more problems onto Japanese industry? Either way we may never know, but the damage has been done."
An extraordinary event
Chris Clarke, co-founder and managing director of Epoch PR agrees that the crisis seems extraordinary for Sony. "From its humble beginnings back in 1949, Sony has developed an incredibly strong and robust reputation built on understanding what customers want, product and service innovation and quality. Sony’s track record is strong enough to emerge from many types of issues. However, this issue could be different," he says.
"It would appear that one of the most damaging aspects of this recent incident is the way it’s been handled. I believe their reputation will suffer specifically amongst the video gaming community – especially gaming enthusiasts such as hard core and pro gamers. One of the unique characteristics of the gaming community is that it’s global, classic Generation X, not especially brand loyal and very active in social media networks. Given the average age for a gamer is 35, people who have been playing since childhood the first arcade, console and home computer games continue playing now on current systems, they are more likely to be incensed and motivated to express their frustrations publicly."
What is clear from other company crises is that when handled poorly, such events can prove extremely costly to the organisation. When Coca-Cola failed to acknowledge a crisis in Belgium where sales were banned because of a reported case of poisoning ('where the f*** is Belgium?' snarled a dismissive Coca-Cola exec, who took no action) the issue spread to France, Germany then went Europe-wide and even spread to Saudi Arabia. The Coca-Cola poison fiasco cost the company an estimated $103 million.
Last year Toyota Motor Corp responded too slowly to concerns about its cars, letting fear, uncertainly and doubt spread – Was the problem just with the accelerators? Were the brakes affected too? "The company failed to convince its public that it was seriously dealing with the problem(s) and that customer safety was paramount," says Judith Ingleton-Beer, CEO of IBA. "Meanwhile the Tweeters are tweeting like mad, and drivers were resorting to the internet and bloggers for news."
Meanwhile, following the Gulf of Mexico oil spill and its highly controversial response to the leak, BP saw its brand power erode considerably.
Certainly these recent examples would suggest that Sony is in for a bumpy ride. "A roller coaster ride should be expected over the next 12 months," predicts Clarke. "The challenge will be to contain this issue from spilling into other customer segments. It will potentially put a break on Sony’s aspirations to become an entertainment led services business not just a product business. We can also expect this incident to foster aggressive competitor action to capitalise on Sony’s weakened reputation in this area."
Customer data lessons
So what can other businesses learn from Sony’s predicament? Certainly there are major issues relating to customer data collection and storage that should be taken on board.
"There is a broader issue here to do with data retention and data protection. This is an issue that is not going to go away. In fact, it is one that is simply going to grow and grow," says Merrin. "Our data retention laws dictate this and businesses and organisations in the public sector need to address this. Simply storing data in a data centre or database in the vain hope that legacy security systems will keep it safe are naïve. With even some of the biggest data security firms themselves being hacked it is high time the issue of security was addressed."
John Colley is managing director of (ISC)2 EMEA, the largest not-for-profit membership body of certified information security professionals worldwide. He believes that enterprises must start to reconsider the validity of data collection.
"The confession from Sony that the personal details of more than 70 million PlayStation Network customers has been obtained illegally by an ‘unauthorised person’ is yet again an unfortunate instance of security policy failing. Worryingly, these instances are now commonplace and enough simply isn’t being done to pre-empt such situations.
"At its core, enterprises need to reconsider the validity of data collection and accessibility. Marketing people, for example should perhaps review the amount and type of information they gather as well as how they gather it, given the level of attempts to defraud people via email. They must consider whether data needs to be stored permanently or whether it can be held temporarily. Authentication is a clear example of where the data usage requirement can be temporary.
"In this digital age, given the increasing levels of cybercrime for financial gain, businesses need to take a step back and ponder whether they are moving into an economically healthy online  age or whether the losses from law suits and reputation, such as in Sony’s instance now, will ultimately cripple organisations’ growth in the long-term."
Customer communication in a crisis
But there are other lessons to be learned from Sony’s crisis – in particular regarding customer communication during such an extraordinary event. "There is the core lesson that when confronted with a crisis a company needs to deal with it head on," says Merrin. "You cannot hide, you cannot run from it and you cannot hope that the problem will go away. Action needs to be taken immediately and swiftly, open and honestly."
Ingleton-Beer recommends businesses that find themselves with a similar crisis on their hands respond with the following action plan within the first 24 hours: 
  • 1. Get the facts. Assume the worst – who, what, where, when, how.... Then decide whether you're going with an instant rebuttal or damage limitation. 
  • 2. Instant rebuttal. The instant rebuttal is an absolute denial that the story is true. Make sure you are right, and remember, journalists often know in general but no-one ever tells them in detail. If necessary, in the case of an untrue report that is actually damaging to your company, you might need to consult with your lawyers and your PR professionals to obtain a retraction. There are quite specific techniques to obtain the retraction and to retain an ongoing professional relationship with the press concerned. Remember the objective is never to obtain financial damages from an influential publication in your marketplace. A retraction of an untrue story is what you require.
  • 3. Damage limitation. Take it on the chin – take full responsibility, be empathic to the victims, if there are any, and their families and be in control by outlining the problem and how they intend to solve it. 
  • 4. Lead from the top. The ultimate fall guy makes the statements. We need to know you care. It took Toyota months before the president spoke. 
  • 5. Communicate. With your staff, with your contact centre (remember, in a crisis, the person that answers the phone is as influential as top management), with your customers and with the media. Craft your message to suit your audience.
  • 6. Remember, signals speak louder than words. Tiger Woods, a 'Big Brand' in his own right, hid from the media for days, refused to let police officials talk to him and his wife, not once but THREE times, blamed the media and let the bloggers and Tweeters go wild! The signal? I have something to hide. So what should he have done? Assume the worst – that all the women involved were going to tell their stories. Admit responsibility – just imagine the sympathy vote he would have had if he had appeared after coming out of hospital in front of the cameras, bruised, battered and scarred from his wife's golf clubbing, and said he was sorry.
  • 7. Manage that valuable brand that's such an important part of your market capital and business. Remember the Perrier benzene contamination, where, although the product was recalled within a week, an initial communications vacuum was accompanied by attempts to say that there is nothing wrong with benzene. This was followed by confusion and inconsistent messaging among worldwide subsidiaries which prolonged the crisis, and lost Perrier its brand dominance. If only Perrier had launched an entirely new product, benzene free, it might have rescued its tarnished brand.
Clarke has three recommendations for how Sony should now attempt to mitigate the damage.
  1. Operational crisis management. There needs to be a full audit of all internal process frameworks and internal protocols to ensure these types of incidents fall within an acceptable level of risk. You can never mitigate fully against these types of coordinated attacks.
  2. Communications crisis management. Get the communications strategy right. When you mess up, acknowledge it. If there has been an operational shortfall it is important Sony recognises and acknowledge this; and in which case communications needs to be about mea culpa and not self-justification.
  3. Use all communications channels. Call/email customers, use social media networks, media, advertising to reach people and encourage an open dialogue.
Furthermore, Clarke suggests that actions can speak louder than words - "Also, we would recommend Sony giving something back to the gaming community that isn’t purely about commercial self-interest," he adds. There are already suggestions that Sony is planning to offer 'welcome back' freebies such as complimentary downloads and free services to show its appreciation for their customers.
“From here, Sony needs to provide full disclosure including what happened, when and what it is doing to fix it. Without full disclosure it can (and does) create suspicion and mistrust which is equally as damaging as the incident itself. In addition, not only will they be on the receiving end of criticism about their approach but also continued attempts to hack their system which would be most damaging for the long term value of the brand."
As an example of how to respond in the event of a branding disaster, Clarke highlights Dell’s reaction to the problem of exploding PC batteries in 2006.
"Dell and its exploding computers [battery recall] was the largest recall in the history of consumer electronics, and a good example of how to best handle an issue. Dell has since become a model for how a company can rapidly and accurately respond to its customers by:
  • Using open dialogue and clear communication. Communication channels included a customer service line and a website with details and instructions for customers.
  • Taking responsibility. Dell handled the crisis even though the batteries were manufactured by another company.
  • Demonstrating responsibility as a brand when things go wrong. Dell recalled the batteries despite the incident occurring in six out of 20 million batteries in the marketplace.
So in a nutshell, what we can learn from Sony’s crisis:
  • Look at the validity of data collection and accessibility.
  • Focus on operational not just communications crisis management.
  • Good communications can’t act as a sticking plaster for poor operational crisis procedures.
  •  Focus on proper process planning, specifically in terms of customer communication. If you get customer communication right it is less likely to become a major media issue.
  • Full disclosure - tell it all, tell it fast and tell the truth – can often stave off the worse ravages of reputational meltdown.
  • For businesses who don’t already have public relations and communications support, bring in a communications expert or agency to guide you through the crisis.
Ultimately, however, Merrin is optimistic that Sony will claw its way back from the brink of disaster, and already sees some encouraging signs.
"It is now down to the company to get control of the media agenda and to follow some pretty basic crisis management rules. Be open and honest with the press and your customers; communicate with them as regularly as possible; demonstrate that you not only empathise with the situation they are facing, but you are taking immediate action to mitigate any risk and future potential risk."
He concludes: "One interesting and highly symbolic action has already been taken by the senior management at Sony and that stands in stark contrast to the handling of the BP oil spill last year. Company executives bowed and apologised and this extraordinary cultural approach simply stood out in comparison with other corporate crisis management scenarios."

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.