ICO slaps Sony with £250,000 fine over PSN breach

ICO slaps Sony with £250,000 fine over PSN breach

Sony has been hit with a £250,000 fine by the Information Commissioner's Office over the 2011 attack on its PlayStation Network and the subsequent breach of customers' personal data.

Sony has found itself on the sharp end of a £250,000 fine from the Information Commissioner's Office as a result of its investigation into the breach of the PlayStation Network service in April 2011.

The attack resulted in personal data of millions of PSN users being downloaded without their authorisation, including passwords, names, email and physical addresses. While the company initially denied that credit card details were included in the breach, this was proven false when hackers released a database of some 2.2 million credit card details belonging to PSN members.

While Sony initially played down the severity of the attack, claiming at the time that 'all of the data was protected, and access was restricted both physically and through the perimeter and security of the network,' details released by the attackers showed major failings in the company's approach to network security - failings that were only addressed following prolonged downtime for the PSN service.

A long-running investigation, carried out by ICO on behalf of UK consumers affected by the breach, has now concluded that Sony was culpable as a result of not keeping its network up to date and by not using best-practice procedures - such as only storing non-reversible hashes instead of plain-text passwords - for personal data storage. As a result it has handed down a £250,000 fine - half the maximum fine permissible under the legislation used.

'If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority,' deputy commissioner and director of data protection at ICO David Smith explained in a statement on the ruling. 'In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough. There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

'The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft. If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to,
' Smith concluded.

Sony has indicated its displeasure with the ruling, and indicated that it intends to appeal against the fine.


Discuss in the forums Reply
greigaitken 24th January 2013, 10:59 Quote
"£250,000 fine - the highest fine permissible under the legislation used."
I spy some legislation that needs an update
Griffter 24th January 2013, 11:17 Quote
i guess PS CEO will have to pay it himself with the money he earned from one days work. oh what a shame, hope he can get through the month now.
Corky42 24th January 2013, 11:38 Quote
Only going on this
The maximum fine is £500k, Also interesting to read its like a parking fine in that it gets reduced if payed early :(
Gareth Halfacree 24th January 2013, 11:48 Quote
Originally Posted by Corky42
Only going on this
The maximum fine is £500k, Also interesting to read its like a parking fine in that it gets reduced if payed early :(
My bad: I was thinking of the old fine guidelines, which topped out at £250,000. I say "old" - the new ones came into force in 2009, so you'd think I'd have got used to them by now...

I've updated the piece - ta!
Mankz 24th January 2013, 12:42 Quote
Appealing against £250,000?

Surely it will cost them more in legal fees and bad PR if they dont just pay up.
Gareth Halfacree 24th January 2013, 12:48 Quote
Originally Posted by Mankz
Appealing against £250,000? Surely it will cost them more in legal fees and bad PR if they dont just pay up.
But the ruling potentially opens Sony up to civil claims from victims. I mean, you could bring a suit against Sony regardless of the ruling, but "and ICO said it was their fault" is a convincing argument to bring to a judge...
Necrow 24th January 2013, 16:17 Quote
£250K - That's nothing for Sony, a minute or so of global trading. What they should do in these cases is put a ban on them exporting good for 1 to 2 weeks. That would be a much bigger fine and would have a better effect.
Eggy 24th January 2013, 16:27 Quote
Can't count the number of services that got hacked and might have lost customer data. It has not even been proven that credit card data was stolen so you will have a hard time proving you need to be compensated.
Corky42 24th January 2013, 16:27 Quote
The damage to there reputation probably cost them more, and yes i know there is no way to measure such a thing.
fdbh96 24th January 2013, 16:47 Quote
Just a question, where does the money go from stuff like this?

Surely it would be better off improving security at Sony, than taking it away from them.
Corky42 24th January 2013, 18:37 Quote
AFAIK it goes to the consolidated fund which is the governments general bank account.
Ream 24th January 2013, 23:00 Quote
Pointless fine, waste of time and money even processing this throught the courts, unless fines are going to be massive 10mill+ then most companys wont care.
Metaporic 25th January 2013, 00:55 Quote
Its not the fine that matters its the symbolism. Sure if we are talking a fine of several million then it matters, but the fact is anything short of the hundreds of millions can probably be shrugged of by a big (if struggling) company like Sony.

What counts is that the company has been shown up as wrong and left red-faced. It also as mentioned opens the door to a whole bunch of consumer lawsuits as well as setting further precedent for related cases for the company.

While its not as effective as a massive fine it has clearly still had some form of impact on Sony if they are planning to appeal for an amount that is unlikely to even register on their radar. Tbh being found guilty seriously undermines consumer trust in Sony with important account information, most of all credit card information that is important to services such as PSN (For both parties). Its just another blow for what was already a PR disaster. There is no longer anyway for the company to state innocence or that it was wholly the shear determination and skill of the hackers.
Corky42 25th January 2013, 03:12 Quote
It must really suck for them as i think they fessed up to the ICO in the first place with what happened.
Makes me wonder if they had not informed the ICO would they eventually have been investigated anyway?
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums