ICO fines Sony £250,000 for loss of personal data in 2011

The fine is noticeably less than that imposed on Gary McNeish in November 2012 for sending text spam (£300,000), and on the Brighton and Sussex University Hospitals NHS Trust (£325,000) in June 2012. Nevertheless, it demonstrates the increasing severity of ICO fines issued over the last 12 months. 

The incident concerned is the infamous hack of the Sony Playstation Network in 2011. “The Network Platform,” says the notice, “was infiltrated following several Distributed Denial of Service (DDoS) attacks on various online networks of the Sony group. The attacker accessed personal data stored on the Network Platform which included customers’ names; addresses; dates of birth and account passwords.”

The notice – unusually and ironically redacted by the same office responsible for upholding freedom of information in the UK – further states that the Sony “data controller failed to ensure that the Network Platform service provider kept up with technical developments. Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller.”

David Smith, deputy commissioner at the ICO, commented, “If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.”

Sony disagrees with the ruling and is planning to appeal. It points out that the ICO admits that it was ‘a determined criminal hack’ and claims that there is no evidence that encrypted payment card details were accessed nor that any personal data has been used for ‘fraudulent purposes.’

How far this appeal will go remains to be seen. Back in October 2012, Google's global privacy counsel, Peter Fleischer, warned of an evolving litigious battleground in Europe. “Companies that today shrug their shoulders and pay small fines, rather than be bothered to hire lawyers and launch long legal processes, in the future will be confronted with the risk of massive fines. Facing massive fines, companies will be required to hire expensive lawyers, launch intense legal battles, and generally handle privacy breach litigation with the full battery of legal process and tools.” We may be witnessing the nascence of Fleischer’s prophesy.

What’s hot on Infosecurity Magazine?