Sony Computer Entertainment Europe has been fined almost $400,000 by the British Information Commissioner’s Office for the hacker attack its PlayStation network suffered in April 2011. The ICO said Sony was in part responsible for the subsequent breach of customer privacy through negligence in keeping its security software and protocols up to date.
Describing the hacking attack as “a serious breach of the Data Protection Act,” the Information Commissioner’s Office fined the Sony subsidiary £250,000, noting that “the attack could have been prevented if the [security] software had been up-to-date, while technical developments also meant passwords were not secure.” The organization does, however, note that “following the breach, Sony has rebuilt its Network Platform to ensure that the personal information it processes is kept secure.”
In a statement accompanying the ICO’s announcement of the fine, David Smith, the British Deputy Commissioner and Director of Data Protection, admitted that “the penalty we’ve issued today is clearly substantial, but we make no apologies for that,” going on to describe the PlayStation breach as “one of the most serious ever reported to us [as well as one that] directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”
“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority,” Smith said. “In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough. There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
However, it wasn’t all bad news, he continued. “If there’s any bright side to this, it’s that a PR Week poll shortly after the breach found the case had left 77 percent of consumers more cautious about giving their personal details to other websites.”
Payment of the fine is due by February 14, with a 20 percent discount (bringing the total to £200,000, or $315,740 USD) if the amount is paid in full by February 13.
In response to the ICO statement, a spokesman at Sony Computer Entertainment Europe said that the company felt that the fine was undeserved. “Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal,” a spokesman for the company said in a statement. “SCEE notes, however, that the ICO recognizes Sony was the victim of ‘a focused and determined criminal attack,’ that ‘there is no evidence that encrypted payment card details were accessed,’ and that ‘personal data is unlikely to have been used for fraudulent purposes’ following the attack on the PlayStation Network.”