UK Regulators to Fine Sony £250,000 for the “Preventable” 2011 PSN Hack, Appeal Planned

The 2011 PSN hack was a huge embarrassment for Sony, scaring away existing customers and potential buyers, as well as shutting down a lucrative digital store for over a month. At the time, the company estimated that the whole mess cost them approximately £106 million/$171 million. But they apologized profusely, gave out free identity protection and a bunch of free games, along with revamping their security protocol. They had licked their wounds, and planned to move on.

But the ordeal is far from over – the UK Information Commissioner’s Office has said that Sony “let everybody down” with “the most serious breach we have had reported to us,” and, as punishment, will fine Sony Computer Entertainment Europe’s offices in the UK a whopping £250,000 ($396,100) for its fault in the matter.

ICO’s deputy commissioner and director of data protection, David Smith, said:

If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority.

In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

He continued:

The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.

The legal document provided by ICO is heavily redacted, but list failings by the data controller as reasons for the fine’s severity, such as not using the latest security measures. “The data controller knew, or ought to have known, that there was a risk that the contravention would occur unless reasonable steps were taken”. Additionally, ICO complain that, because of Anonymous’ DDoS attacks prior to the hack, Sony should have taken steps to beef up security measures – although, in their defense, Anonymous had no plans to hack the PSN and openly said as much, but Sony certainly should have prepared.

ICO admits that “there is no evidence that the encrypted payment card details were accessed” and says they have received no complaints or reports of harm from the personal data lost and don’t think it was used by the hackers. The commission also credit Sony for their ‘welcome back’ package, the fact that they voluntarily worked together on this investigation, and that substantial security changes have been made.

Sony plans to appeal the fine, saying:

There is no evidence that encrypted payment card details were accessed… personal data is unlikely to have been used for fraudulent purposes.

The reliability of our network services and the security of our consumers’ information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack.

Although Sony is appealing, the document notes that if Sony were to pay the fine in full by Feb 13th, they’d get a discount and only have to pay £200,000. The maximum fine they could have been charged is £500,000, the document notes.

Be sure to stick to PSLS as the story develops, and let us know if you think Sony is at fault.