ICO fines Sony £250,000 for PlayStation Network hack
Record fine for April 2011 data breach. Sony plans to appeal
Sony has received a record £250,000 fine from the Information Commissioner's Office (ICO) as punishment for the PlayStation Network (PSN) hack that took place in April 2011.
The electronics firm says it "strongly disagrees" with the verdict and will appeal against the fine.
The ICO considers the attack, which saw Sony take down its PSN for 24 days, as a serious breach of the Data Protection Act. The PSN hack compromised the personal details of millions of PlayStation users, with names, addresses, email addresses, dates of birth and account passwords.
Customers' credit card details were also deemed to be potentially at risk.
An ICO investigation came to the conclusion that the breach could have been prevented if passwords had been stored more securely and software had been up-to-date.
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough," said David Smith, ICO deputy commissioner and director of data protection.
"There's no disguising that this is a business that should have known better. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."
Sony argues that there was no evidence to suggest encrypted bank details were accessed, insisting it takes protecting customer information very seriously. It said it will appeal against the ICO's ruling.
"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient," Sony said in a statement.
"The reliability of our network services and the security of our consumers' information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack."
Commenting on the Sony breach, Ross Parsell, head of cyber security at Thales UK, argued "basic lessons on information security are not being learned".
"A perimeter-based approach to security based around firewalls and defensive controls around the IT network is no longer sufficient.
"Organisations need to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information," he said.