January 24, 2013 2:18 pm

UK fines Sony for lapses at games network

Sony’s European subsidiary has been fined by a UK watchdog and criticised for failing to properly secure customer data before hackers attacked its PlayStation Network in 2011.

On Thursday, the Information Commissioner’s Office fined the Japanese electronics maker £250,000 for the breach, in which names, addresses, email addresses, dates of birth and passwords for millions of customers were accessed by hackers. The commissioner’s office said payment card details were also at risk.

PlayStation Network is the online element of Sony’s PlayStation gaming console and mobile gaming products, where customers can buy games and rent films with credit cards as well as chat and play against each other online.

The fine against Sony Computer Entertainment Europe is the third-largest imposed by the ICO, which is charged with enforcing the Data Protection Act in the UK but cannot issue penalties of more than £500,000. The two larger fines were both handed to local authorities. Sony can pay a lower amount of £200,000 if it settles the fine by February 13, a standard incentive for ICO fines.

The commissioner’s office said the 2011 attack could have been prevented if the network’s software had been up-to-date and that technical developments had made passwords unsecure. According to the fine document, it said Sony “did not ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing and the nature of the data”.

David Smith, deputy commissioner and director of data protection, said Sony was a company that traded on its technical expertise and therefore should have had the knowhow to keep customer data safe.

“When the database was targeted, albeit in a determined criminal attack, the security measures in place were simply not good enough,” he said.

Sony said on Thursday that it planned to appeal against the fine.

The company pointed to passages in the penalty notice that said there was no evidence that encrypted card payment details were accessed and that personal data were unlikely to have been used for fraudulent purposes after the attack.

“Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems . . . The reliability of our network services and the security of our consumers’ information are of the utmost importance to us.”

Vanessa Barnett, technology and media partner at the law firm Charles Russell, said the fine was significant because such penalties had previously been confined to financial services and local authorities.

“It’s almost a weather vane which signals how things are moving in Europe and what we can expect for the future.”

Brussels is considering stronger data protection legislation that will allow watchdogs to issue fines as a percentage of a company’s turnover.

“The principle of data protection is that you award damages where there has been harm. But harm doesn’t just mean financial harm, it can mean distress, and the ICO is right to make that point,” Ms Barnett said.

The breach forced Sony to take the platform offline for a month and rebuild it to be more secure. At the time, it said 10m users had used their credit cards on the PlayStation Network platform but tried to reassure its mainly US members that the chances of card data having been accessed were low.

Even so, the breach, part of a series of attacks, continued to haunt the company for much of 2011, contributing to a management reshuffle, a tumbling share price and the company’s fourth straight loss.

Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don't cut articles from FT.com and redistribute by email or post to the web.


Sign up for email briefings to stay up to date on topics you are interested in