ICO fines Sony quarter of a million for 2011 security breach

News by Dan Raywood

The Information Commissioner's Office (ICO) has issued a fine of £250,000 to Sony for security failures around its Playstation Network breach in 2011.

The Information Commissioner's Office (ICO) has issued a fine of £250,000 to Sony for security failures around its Playstation Network breach in 2011.


According to the ICO, the monetary penalty was issued because of the breach of users of the Sony Playstation Network platform, compromising users' names, addresses, email addresses and passwords.


The ICO said that its investigation revealed that the attack could have been prevented if the software had been up to date, while technical developments also meant passwords were not secure.


David Smith, deputy commissioner and director of data protection, said: “If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.


“There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.


“The penalty we've issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”


Security specialist and consultant Bruce Hallas pointed out on Twitter that the size of the fine for three million UK users equated to an eight pence fine per record.


Chris McIntosh, CEO of ViaSat UK, called the news 'wholly positive', but said that this also demonstrates the worrying lack of regard for data protection that exists from a large organisation that should really know better.


“Any organisation trusted with safeguarding the personal details of millions of customers, including payment card details, should ensure it has the most rigorous data security policies in place possible to protect against threats like these,” he said.


“The fact that the data breach could have been avoided by something as simple as a software update shows a worrying lack of regard and a poor perception of the existing threats. The ICO has said one positive outcome of the data breach is it has made consumers more cautious, yet customers should not have to worry about their personal details and the onus should be largely on the data custodian's shoulders.”


Check Point's UK managing director, Terry Greer-King said: “It underlines the fact that companies have to take the protection of customer data seriously, and take steps to prevent that data being accessed.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews