If you thought (or wished) that you’d heard the last of 2011’s infamous PlayStation Network outage, then think again. A UK government body responsible for investigating the hack has issued the platform holder with a £250,000 ($395k) fine, describing the attack as a “serious breach of the Data Protection Act”.
The Information Commissioner’s Office stated that the breach compromised the personal information of millions of consumers, including “their names, addresses, email addresses, dates of birth, and account passwords”. Payment information was also at risk, it added.
“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority,” explained David Smith, deputy commissioner and director of data protection. “In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.”
Sony has since responded to the ruling, declaring its intent to appeal: “SCEE notes that the ICO recognises Sony was the victim of ‘a focused and determined criminal attack’, that ‘there is no evidence that encrypted payment card details were accessed’, and that ‘personal data is unlikely to have been used for fraudulent purposes’ following the attack on the PlayStation Network.
“Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient.”
The organisation added that the “reliability of our network services and the security of our consumers’ information are of the utmost importance to us”. The firm employed a leading security specialist shortly after the breach in mid-2011 to ensure that the scenario would never occur again.
Considering no one was ever actually affected by the attack, this ruling seems harsh to us. There were plenty of stories about fraudulent charges during the outage, but none of that was ever tracked back to the PlayStation Network, regardless of what mainstream outlets reported at the time. Why dig this back up now?
[source ico.gov.uk, via mcvuk.com, vg247.com, vg247.com, eurogamer.net]
Comments 5
To be honest, Sony was culpable of a breech in its Data Protection duties. Seems a bit silly to appeal over such a small amount for such a wealthy company.
Why dig this back now?
One word MONEY.
Lets just say they were kinda in need of some money and this was the perfect excuse to charge sony.
Just a slap on the wrist then. It clearly wasn't THAT big a breach of the Data Protection Act.
I want to know why ICO wasnt doing regular inspections of Sony's security measures, potentially preventing this from happening. Seems like a money grab to just pop up after the fact and say " since you were hacked you obviously didnt havent sufficient security, pay $250K ."
So if somebody breaks into your office you get fined? Blame the victim much?
I'ld be ok with fining Sony - if they were warned beforehand that their security was weak and needed to be upgraded but they declined, or they were being fined for not reporting the breach and playing down i.e. lieing about the severity, which I think was a bigger issue here in the states.
Unless you can prove Sony knew in advance that it's security was subpar - and who knows maybe there is a smoking gun email somewhere - you just shouldn't fine them after the fact.
PS - I predict that tomorrow Anonymous will break into The Information Commissioner’s Office and then request that they fine themselves.
Show Comments
Leave A Comment
Hold on there, you need to login to post a comment...