Attacks/Breaches
1/24/2013
10:29 AM
Connect Directly
RSS
E-Mail
50%
50%

Sony Slapped With $390,000 U.K. Data Breach Fine

U.K. data privacy czar levies huge penalty on the consumer electronics giant over its 2011 PlayStation Network security breach.

Sony's European arm has been dealt a harsh punishment by the U.K.'s data privacy czar for poor protection of its customer's privacy: a punishing $390,000 (£250,000) fine.

In 2011, due to a hack of its PlayStation Network online gaming community's database, 77 million customers' personal details were exposed. The cyber housebreakers were able to get away with customers' payment card details, names, postal and email addresses, dates of birth, and account passwords. In the U.K., about three million bank customers had to change their account details and obtain new credit cards, it has been reported.

Two years later, the U.K. Information Commissioner -- the official watchdog for privacy and data security -- has decided the breach was due to poor IT security by Sony and has decided to teach it a lesson.

It busted the company under the U.K.'s 1998 Data Protection Act, after its investigators decided the attack could have been prevented if network software had been up to date. It also believes the way Sony Entertainment Europe had set up user passwords was not sufficiently secure.

[ Java security news is not getting any better. See Java Hacker Uncovers Two Flaws In Latest Update. ]

The Data Protection Act offers eight central principles that any organization working in the U.K. and holding personal data must comply with. These require that such personal information must be: fairly and lawfully processed; obtained for limited purposes; adequate, relevant and not excessive; accurate and kept up to date; never kept for longer than necessary; processed in line with personal legal rights; not transferred to other countries without adequate protection; and, most relevant to this case, always kept securely.

The organization's deputy commissioner and director of data protection, David Smith, said in the Information Commissioner's finding that, "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough ... There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The body also points to the impact the scandal has had on U.K. consumers' willingness to share their personal information online, which could of course impact U.K. e-commerce more widely. It quotes data based on market research conducted shortly after the incident that said 77% of consumers had been left "more cautious" about giving their personal details to websites.

The Information Commissioner's action is part of a stream of high-profile actions on organizations it deems have been too lax in protecting customer information.

What's unusual here is both the size of the financial swipe it's made on the global brand of Sony -- more commonly, it fines public-sector bodies in the U.K., with a particular focus on cases where hospital workers lose USBs with sensitive patient data -- and also how clearly it says the company's bad security practices are to blame.

"The penalty we've issued today is clearly substantial, but we make no apologies for that," says Smith. "The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."

Sony has yet to publicly react to the news.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
PJS880
50%
50%
PJS880,
User Rank: Ninja
2/2/2013 | 5:37:55 PM
re: Sony Slapped With $390,000 U.K. Data Breach Fine
It took 2 years to figure that the breech was due to poor IT security, wasnGÇÖt that obvious? David Smith was correct; when people disclose their credit card information to companies there is an obvious responsibility for the company holding that information maintains it securely. A mere $390,000 doesnGÇÖt really seem to cut it when the number of compromised accounts is 77 million, especially as large as a company as Sony is.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.