The UK Information Commissioner's Office (ICO) today announced that it had imposed a fine of £250,000 (approximately $400,000) on Sony for "a serious breach of the Data Protection Act."
"In 2011, due to a hack of its PlayStation Network online gaming community's database, 77 million customers' personal details were exposed," notes InformationWeek's Gary Flood. "The cyber housebreakers were able to get away with customers' payment card details, names, postal and email addresses, dates of birth, and account passwords. In the U.K., about three million bank customers had to change their account details and obtain new credit cards, it has been reported."
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," ICO deputy commissioner and director of data protection David Smith said in a statement. "In this case that just didn’t happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough. There’s no disguising that this is a business that should have known better."
"The reason for the fine is simply one of security failings," writes Geek.com's Matthew Humphries. "The ICO, having looked over the details of what happened, decided the breach was clearly Sony’s fault because security was so poorly implemented that the 'determined criminal attack' proved successful. Just as importantly, they found the attack could have been prevented."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The agency gave Sony until February 13 to pay a reduced fine at a discount of 20 percent," writes Ars Technica's Dan Goodin. "It also gave Sony the option of appealing the ruling. The ICO has the authority to levy fines as high as £500,000."
"Sony disagrees with the ruling and is planning to appeal," Infosecurity reports. "It points out that the ICO admits that it was 'a determined criminal hack' and claims that there is no evidence that encrypted payment card details were accessed nor that any personal data has been used for 'fraudulent purposes.'"