Attacks/Breaches
1/24/2013
10:29 AM
Connect Directly
RSS
E-Mail
50%
50%

Sony Slapped With $390,000 U.K. Data Breach Fine

U.K. data privacy czar levies huge penalty on the consumer electronics giant over its 2011 PlayStation Network security breach.

Sony's European arm has been dealt a harsh punishment by the U.K.'s data privacy czar for poor protection of its customer's privacy: a punishing $390,000 (£250,000) fine.

In 2011, due to a hack of its PlayStation Network online gaming community's database, 77 million customers' personal details were exposed. The cyber housebreakers were able to get away with customers' payment card details, names, postal and email addresses, dates of birth, and account passwords. In the U.K., about three million bank customers had to change their account details and obtain new credit cards, it has been reported.

Two years later, the U.K. Information Commissioner -- the official watchdog for privacy and data security -- has decided the breach was due to poor IT security by Sony and has decided to teach it a lesson.

It busted the company under the U.K.'s 1998 Data Protection Act, after its investigators decided the attack could have been prevented if network software had been up to date. It also believes the way Sony Entertainment Europe had set up user passwords was not sufficiently secure.

[ Java security news is not getting any better. See Java Hacker Uncovers Two Flaws In Latest Update. ]

The Data Protection Act offers eight central principles that any organization working in the U.K. and holding personal data must comply with. These require that such personal information must be: fairly and lawfully processed; obtained for limited purposes; adequate, relevant and not excessive; accurate and kept up to date; never kept for longer than necessary; processed in line with personal legal rights; not transferred to other countries without adequate protection; and, most relevant to this case, always kept securely.

The organization's deputy commissioner and director of data protection, David Smith, said in the Information Commissioner's finding that, "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough ... There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The body also points to the impact the scandal has had on U.K. consumers' willingness to share their personal information online, which could of course impact U.K. e-commerce more widely. It quotes data based on market research conducted shortly after the incident that said 77% of consumers had been left "more cautious" about giving their personal details to websites.

The Information Commissioner's action is part of a stream of high-profile actions on organizations it deems have been too lax in protecting customer information.

What's unusual here is both the size of the financial swipe it's made on the global brand of Sony -- more commonly, it fines public-sector bodies in the U.K., with a particular focus on cases where hospital workers lose USBs with sensitive patient data -- and also how clearly it says the company's bad security practices are to blame.

"The penalty we've issued today is clearly substantial, but we make no apologies for that," says Smith. "The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."

Sony has yet to publicly react to the news.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/2/2013 | 5:37:55 PM
re: Sony Slapped With $390,000 U.K. Data Breach Fine
It took 2 years to figure that the breech was due to poor IT security, wasnGÇÖt that obvious? David Smith was correct; when people disclose their credit card information to companies there is an obvious responsibility for the company holding that information maintains it securely. A mere $390,000 doesnGÇÖt really seem to cut it when the number of compromised accounts is 77 million, especially as large as a company as Sony is.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-5522
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6025. Reason: This candidate is a reservation duplicate of CVE-2014-6025. Notes: All CVE users should reference CVE-2014-6025 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-5523
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5524. Reason: This candidate is a duplicate of CVE-2014-5524. Notes: All CVE users should reference CVE-2014-5524 instead of this candidate. All references and descriptions in this candidate have been removed to prevent acciden...

CVE-2014-5575
Published: 2014-09-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

CVE-2014-5665
Published: 2014-09-22
The Mzone Login (aka com.mr384.MzoneLogin) application 1.2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio