TechWeb

Sony Slapped With $390,000 U.K. Data Breach Fine

Jan 24, 2013 (05:01 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=240146918


Sony's European arm has been dealt a harsh punishment by the U.K.'s data privacy czar for poor protection of its customer's privacy: a punishing $390,000 (£250,000) fine.

In 2011, due to a hack of its PlayStation Network online gaming community's database, 77 million customers' personal details were exposed. The cyber housebreakers were able to get away with customers' payment card details, names, postal and email addresses, dates of birth, and account passwords. In the U.K., about three million bank customers had to change their account details and obtain new credit cards, it has been reported.

Two years later, the U.K. Information Commissioner -- the official watchdog for privacy and data security -- has decided the breach was due to poor IT security by Sony and has decided to teach it a lesson.

It busted the company under the U.K.'s 1998 Data Protection Act, after its investigators decided the attack could have been prevented if network software had been up to date. It also believes the way Sony Entertainment Europe had set up user passwords was not sufficiently secure.

[ Java security news is not getting any better. See Java Hacker Uncovers Two Flaws In Latest Update. ]

The Data Protection Act offers eight central principles that any organization working in the U.K. and holding personal data must comply with. These require that such personal information must be: fairly and lawfully processed; obtained for limited purposes; adequate, relevant and not excessive; accurate and kept up to date; never kept for longer than necessary; processed in line with personal legal rights; not transferred to other countries without adequate protection; and, most relevant to this case, always kept securely.

The organization's deputy commissioner and director of data protection, David Smith, said in the Information Commissioner's finding that, "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough ... There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The body also points to the impact the scandal has had on U.K. consumers' willingness to share their personal information online, which could of course impact U.K. e-commerce more widely. It quotes data based on market research conducted shortly after the incident that said 77% of consumers had been left "more cautious" about giving their personal details to websites.

The Information Commissioner's action is part of a stream of high-profile actions on organizations it deems have been too lax in protecting customer information.

What's unusual here is both the size of the financial swipe it's made on the global brand of Sony -- more commonly, it fines public-sector bodies in the U.K., with a particular focus on cases where hospital workers lose USBs with sensitive patient data -- and also how clearly it says the company's bad security practices are to blame.

"The penalty we've issued today is clearly substantial, but we make no apologies for that," says Smith. "The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."

Sony has yet to publicly react to the news.