Attacks/Breaches
1/24/2013
10:29 AM
50%
50%

Sony Slapped With $390,000 U.K. Data Breach Fine

U.K. data privacy czar levies huge penalty on the consumer electronics giant over its 2011 PlayStation Network security breach.

Sony's European arm has been dealt a harsh punishment by the U.K.'s data privacy czar for poor protection of its customer's privacy: a punishing $390,000 (£250,000) fine.

In 2011, due to a hack of its PlayStation Network online gaming community's database, 77 million customers' personal details were exposed. The cyber housebreakers were able to get away with customers' payment card details, names, postal and email addresses, dates of birth, and account passwords. In the U.K., about three million bank customers had to change their account details and obtain new credit cards, it has been reported.

Two years later, the U.K. Information Commissioner -- the official watchdog for privacy and data security -- has decided the breach was due to poor IT security by Sony and has decided to teach it a lesson.

It busted the company under the U.K.'s 1998 Data Protection Act, after its investigators decided the attack could have been prevented if network software had been up to date. It also believes the way Sony Entertainment Europe had set up user passwords was not sufficiently secure.

[ Java security news is not getting any better. See Java Hacker Uncovers Two Flaws In Latest Update. ]

The Data Protection Act offers eight central principles that any organization working in the U.K. and holding personal data must comply with. These require that such personal information must be: fairly and lawfully processed; obtained for limited purposes; adequate, relevant and not excessive; accurate and kept up to date; never kept for longer than necessary; processed in line with personal legal rights; not transferred to other countries without adequate protection; and, most relevant to this case, always kept securely.

The organization's deputy commissioner and director of data protection, David Smith, said in the Information Commissioner's finding that, "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough ... There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The body also points to the impact the scandal has had on U.K. consumers' willingness to share their personal information online, which could of course impact U.K. e-commerce more widely. It quotes data based on market research conducted shortly after the incident that said 77% of consumers had been left "more cautious" about giving their personal details to websites.

The Information Commissioner's action is part of a stream of high-profile actions on organizations it deems have been too lax in protecting customer information.

What's unusual here is both the size of the financial swipe it's made on the global brand of Sony -- more commonly, it fines public-sector bodies in the U.K., with a particular focus on cases where hospital workers lose USBs with sensitive patient data -- and also how clearly it says the company's bad security practices are to blame.

"The penalty we've issued today is clearly substantial, but we make no apologies for that," says Smith. "The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."

Sony has yet to publicly react to the news.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/2/2013 | 5:37:55 PM
re: Sony Slapped With $390,000 U.K. Data Breach Fine
It took 2 years to figure that the breech was due to poor IT security, wasnG«÷t that obvious? David Smith was correct; when people disclose their credit card information to companies there is an obvious responsibility for the company holding that information maintains it securely. A mere $390,000 doesnG«÷t really seem to cut it when the number of compromised accounts is 77 million, especially as large as a company as Sony is.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?