The Information Commissioner’s office (ICO) has issued a monetary penalty of £250,000 against Sony Computer Entertainment Europe for a serious breach of the Data Protection Act (DPA).
The data breach penalty relates to the hacking of the Sony PlayStation Network Platform in April 2011, which compromised the personal information of millions of customers.
Personal information – including names, addresses, email addresses, dates of birth and account passwords – were exposed. Payment card details were put at risk.
An ICO investigation found the attack could have been prevented if the software had been up-to-date. Technical developments meant passwords were not secure.
“If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority,” said David Smith, deputy commissioner and director of data protection (see video below).
“In this case that just didn’t happen and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough,” David Smith said.
Read more about Sony's data breach
- FBI arrests another Sony hacking suspect
- Sony hit by another major data breach
- FBI makes LulzSec arrests in Sony breach investigation
- Sony data breach: 100m reasons to beef up security
- Sony insurer claims policy does not cover data breach claims
- Sony appoints Philip Reitinger as CISO after data breach hits 100m customers
- Sony attack: Sony expands scope of its massive data security breach
- Sony hacks hit share price in Tokyo as data breaches undermine
- Sony blames forensics for delay in notifying millions of customers of data breach
- FAQ: What is the Sony PlayStation Network security breach's impact?
- Sony's server software outdated and unpatched before attacks, says witness
- Data breaches show enterprise need for better data security management
Sony should have known better, said Smith, as it is a company that trades on its technical expertise.
“There is no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe,” he said.
Smith said the penalty reflects the fact that the case was one of the most serious ever reported to the ICO. It directly affected a huge number of consumers, putting them at risk of identity theft, he said.
“Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to,” said Smith.
Sony takes remedial steps
Following the breach, Sony rebuilt its network platform to ensure the personal information it processes is kept secure.
Sony also appointed Philip Reitinger as senior vice-president and chief information security officer.
Philip Reitinger – who has held cyber security positions at Microsoft and the US Departments of Homeland Security, Defense and Justice – is responsible for assuring the security of Sony's information assets and services.
At the time, Sony said Reitinger would oversee information security, privacy and internet safety across the company, co-ordinating closely with key headquarters groups and working in partnership with the information security community to bring the best ideas and approaches to Sony.
Security company Check Point’s UK managing director, Terry Greer-King, said the breach underlined the fact companies had to take the protection of customer data seriously and take steps to prevent that data being accessed.
“In 2012, we surveyed over 550 C-level and IT staff at UK firms and found they reported an average of 68 new security attack attempts per week, with financial fraud and theft of customer data as the primary targets," said Greer-King.
"It shows how big this problem has become and the importance of implementing pre-emptive protection to safeguard critical data assets.”