Sony’s been fined nearly $400,000 in the UK for the security breach that led to the hacking of its PlayStation Network in April 2011.
Using a series of DDoS attacks, the LulzSec hackers were able to access the details of more than two million credit cards, and the network was down for several days.
But the UK’s Information Commissioner’s Office says that Sony was partially to blame, as it had been using out-of-date software and passwords weren’t secure.
“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough,” says deputy commissioner and director of data protection David Smith.
“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
As a result, the ICO has imposed a fine of £250,000 on Sony – the highest ever awarded against a privite company – although it gets a 20 percent discount if it coughs up before 13 February. That’s also the date by which Sony needs to file an appeal – which it surely will.
“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us,” says Smith. “It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”
Interestingly, the ICO made no mention of the fact that Sony failed to alert users to the hack until several days had passed – probably the feature of the case that caused most outrage at the time.
A redacted version of the ruling is here.