Sony fined £250,000 for 2011 PlayStation Network breach - Update
The UK's Information Commissioner's Office has fined Sony £250,000 for its failure to protect users' information in 2011. In April 2011, Sony's PlayStation Network was subjected first to several denial-of-service attacks and then compromised, allowing attackers to take information including email addresses, addresses, passwords and dates of birth.
ICO says that although some effort was made to protect passwords, at the time of attack, those efforts were not appropriate because Sony did not keep up with technical developments. Access to the network was gained through a vulnerability and ICO found that the administrators of the network had previously failed to address the vulnerability despite the availability of updates that would have closed the hole.
ICO does say that there is no evidence that encrypted payment card details were accessed, but does cite the lack of additional cryptographic protections on passwords and the failure to address system vulnerabilities as a "serious contravention of section 4(4)" of the Data Protection Act 1998. Since the Criminal Justice and Immigration Act 2008, ICO has been able, in the case of serious contraventions of the act, to apply fines of up to £500,000. In Sony's case, the £250,000 penalty was set because the company could afford it, had failed to act despite sufficient resources, and had placed other accounts at risk. ICO took Sony's voluntary reporting of the issue and cooperation, the "Welcome back" pack for affected customers, a lack of complaints and the fact that Sony has taken "substantial remedial action" into account.
The Deputy Commissioner David Smith called the case "one of the most serious ever reported to us". He did note though that a poll after the breach had found "77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to”. ICO also took the opportunity to remind companies of the 8 Principles of the Data Protection Act which among other things, require that personal data is held securely.
Update - Sony Computer Entertainment Europe says it plans to appeal as it "strongly disagrees with ICO's ruling". Sony appears to argue that although "the ICO recognises Sony was the victim of 'a focused and determined criminal attack'", there was no access to payment card details or fraudulent use of the identity information.