Sony has been fined £250,000 over 2011’s PSN hack, due to a “serious breach” of the Data Protection Act, according to the BBC this morning.
The Information Commissioner’s Office said that Sony’s security software was not up to date, and that the hack could have been prevented.
The ICO also said, in their report, that user passwords were not secure, and that names, addresses, dates of birth and payment card information could have been at risk.
[videoyoutube]”If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority,” said David Smith, deputy commissioner and director of data protection at the ICO.”“In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough,” Smith added.
The ICO said that the security lapse was the “most serious it had ever seen,” and “there’s no disguising that this is a business that should have known better.”
This post on the 21st of April seems so innocent and naive, but it soon escalated. Sony first kept quiet on the matter, saying it would be up much sooner than it was. Users were kept guessing as Sony tried to scramble to figure out what had happened and how to best address the news to its subscribers.
It was huge news, with that month generating a huge amount of interest in what was going on with Sony and the hack. At the time of writing we’ve got four pages of posts relating to it.
Then, five days later, this happened. The internet exploded.
Sony has since said that the PSN is more secure than ever.
Sony Europe will appeal against the fine, with a statement claiming “there is no evidence that encrypted payment card details were accessed,” and added that “personal data is unlikely to have been used for fraudulent purposes.”
“The reliability of our network services and the security of our consumers’ information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack.”
ABlokeCalledDaz
This is the same ICO that failed fine BT for releasing loads of it subscriber details in plain text form that got hacked and released into the wild a couple of years ago, which in my opinion is a worse crime than Sony’s as in that incident BT had no concept of security or privacy.
Is it Sony UK/EU/global that have to stump up the cash as the fine is local to the UK?
DirtyHabit
I don’t really see what the fining companies like this actually achieves. All it does IMO is self perpetuate these so called regulators and keeps pain in the arse busy body employees in their made up jobs.
quinkill
Above all, it sends a signal to other companies to make sure the data they have from customers is secure.
quinkill
250k is nothing for them, It’s a slap on the wrist. They know it wasn’t secure and they’ve learnt from that mistake.
Paranoimia
Should it have happened? No.
Was it serious? Hmm… potentially.
But I’ve yet to see any mention or confirmation, anywhere, that a single, solitary person actually lost anything more than some online gaming time as a result.
“The Information Commissioner’s Office said that Sony’s security software was not up to date, and that the hack could have been prevented.”
Saying that it could have been prevented is a bit misleading. Internet security kings RSA, as well as several high-grade military-related networks, have also been hacked in the last few years. So even if Sony had had military grade security on PSN, it could still have happened. No network is completely secure if the attacker is smart and determined enough.
xdarkmagician
Good.
IMO the fine is just the right amount, not too big where it would cripple Sony, but still large enough where some majority shareholders and COOs, CEOs, VPs, and CFOs are going to ask why their bonuses are smaller. Combined with the additional costs of the hack it’ll make Sony remember that when you operate a digital online service security is paramount.