ICO slaps Sony with £250,000 fine over PSN breach

January 24, 2013 // 10:48 a.m.

Tags: #ico #information-commissioner #playstation-3 #playstation-network #playstation-portable #playstation-vita #privacy #ps3 #psn #psp #security #sony

Sony has found itself on the sharp end of a £250,000 fine from the Information Commissioner's Office as a result of its investigation into the breach of the PlayStation Network service in April 2011.

The attack resulted in personal data of millions of PSN users being downloaded without their authorisation, including passwords, names, email and physical addresses. While the company initially denied that credit card details were included in the breach, this was proven false when hackers released a database of some 2.2 million credit card details belonging to PSN members.

While Sony initially played down the severity of the attack, claiming at the time that 'all of the data was protected, and access was restricted both physically and through the perimeter and security of the network,' details released by the attackers showed major failings in the company's approach to network security - failings that were only addressed following prolonged downtime for the PSN service.

A long-running investigation, carried out by ICO on behalf of UK consumers affected by the breach, has now concluded that Sony was culpable as a result of not keeping its network up to date and by not using best-practice procedures - such as only storing non-reversible hashes instead of plain-text passwords - for personal data storage. As a result it has handed down a £250,000 fine - half the maximum fine permissible under the legislation used.

'If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority,' deputy commissioner and director of data protection at ICO David Smith explained in a statement on the ruling. 'In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough. There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

'The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft. If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to,
' Smith concluded.

Sony has indicated its displeasure with the ruling, and indicated that it intends to appeal against the fine.

QUICK COMMENT

View this in the forums

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU