U.K. Fines Sony over PlayStation Breach

Sony to Appeal £250,000 Penalty for Not Protecting Data
U.K. Fines Sony over PlayStation Breach

British authorities have fined the European arm of Sony Entertainment Network £250,000 - that's nearly $400,000 - for not taking appropriate steps to safeguard customers' personal information when hackers attacked its PlayStation Network in April 2011.

See Also: Detecting Insider Threats Through Machine Learning

Britain's Information Commissioner's Office, in a report issued on Jan. 24, says its investigation found that the attack could have been prevented if the network's software had been up-to-date. In addition, U.K. authorities contend Sony's technology at the time did not appropriately secure passwords.

A spokesman for Sony Computer Entertainment Europe said in a statement that the company strongly disagrees with the ruling and plans to appeal it.

"The ICO recognizes Sony was the victim of 'a focused and determined criminal attack,' that 'there is no evidence that encrypted payment card details were accessed,' and that 'personal data is unlikely to have been used for fraudulent purposes' following the attack on the PlayStation Network," Sony spokesman Jonathan Fargher said.

The breach revealed the personal information of 77 million customers of Sony's PlayStation Network and Qriocity service, including their names, addresses, dates of birth and account passwords. Customers' payment card details also were exposed.

'Should Have Known Better'

"If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough," David Smith, deputy information commissioner and director of data protection, said in a statement announcing the fine.

"There's no disguising that this is a business that should have known better," Smith said. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The attacks occurred between April 17 and 19, 2011, forcing Sony to shutter the PlayStation network on April 20. The outage lasted for more than three weeks.

Within a month of the attacks, Sony said distributed denial of service attacks camouflaged simultaneous intrusions that resulted in the exposure of the personal information [see Sony: DDoS Masked Data Exfiltration].

At the time of the attacks, Sony did not have a chief information security officer. That was remedied in September 2011, when Sony tapped Phillip Reitinger, a onetime top cybersecurity policymaker at the Department of Homeland Security, as its CISO and senior vice president [see Ex-DHS Official Becomes Sony's CISO].


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network