Related Links

Related Stories

  • ICO fines Tetrus owners £440,000
    The UK Information Commissioner’s Office has issued monetary penalties against Christopher Niebel (£300,000) and Gary McNeish (£140,000) for sending millions of unsolicited spam texts offering accident and PPI compensation services to mobile phone users.
  • Stoke-on-Trent gets £120K fine for second data encryption offense
    The ICO has hit the Stoke-on-Trent City Council with a hefty £120,000 fine for failing to use basic encryption on email messages, and for sending a message about a child protection case to the wrong person.
  • Sony data breach lawsuit largely dismissed
    A class-action suit against Sony over a PlayStation Network data breach in April of 2011 has been largely dismissed, after months of consumer backlash and high-profile recriminations against the company.
  • ICO poised to fine illegal marketers
    Earlier this year the ICO asked the public to report calls or texts “received from an unknown sender using an online survey.” It has received more than 30,000 complaints and today announced that it is “set to issue two monetary penalties totaling well over £250,000 to two illegal marketers.”
  • Sony appoints Philip Reitinger as CISO after data breach hits 100m customers
    Sony has appointed its first chief information security officer.

Top 5 Stories


ICO fines Sony £250,000 for loss of personal data in 2011

24 January 2013

In a monetary penalty notice dated 14 January but announced today, the Information Commissioner’s Office has fined Sony Computer Entertainment Europe Ltd £250,000 for a serious breach of the UK's Data Protection Act.

The fine is noticeably less than that imposed on Gary McNeish in November 2012 for sending text spam (£300,000), and on the Brighton and Sussex University Hospitals NHS Trust (£325,000) in June 2012. Nevertheless, it demonstrates the increasing severity of ICO fines issued over the last 12 months. 

The incident concerned is the infamous hack of the Sony Playstation Network in 2011. “The Network Platform,” says the notice, “was infiltrated following several Distributed Denial of Service (DDoS) attacks on various online networks of the Sony group. The attacker accessed personal data stored on the Network Platform which included customers’ names; addresses; dates of birth and account passwords.”

The notice – unusually and ironically redacted by the same office responsible for upholding freedom of information in the UK – further states that the Sony “data controller failed to ensure that the Network Platform service provider kept up with technical developments. Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller.”

David Smith, deputy commissioner at the ICO, commented, “If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.”

Sony disagrees with the ruling and is planning to appeal. It points out that the ICO admits that it was ‘a determined criminal hack’ and claims that there is no evidence that encrypted payment card details were accessed nor that any personal data has been used for ‘fraudulent purposes.’

How far this appeal will go remains to be seen. Back in October 2012, Google's global privacy counsel, Peter Fleischer, warned of an evolving litigious battleground in Europe. “Companies that today shrug their shoulders and pay small fines, rather than be bothered to hire lawyers and launch long legal processes, in the future will be confronted with the risk of massive fines. Facing massive fines, companies will be required to hire expensive lawyers, launch intense legal battles, and generally handle privacy breach litigation with the full battery of legal process and tools.” We may be witnessing the nascence of Fleischer’s prophesy.

This article is featured in:
Compliance and Policy  •  Data Loss  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×