ICO Sony Data Breach Decision Coming in Six Weeks

The deputy Informatino Commissioner reveals a decision on last year’s Sony breach is imminent

The Information Commissioner’s Office (ICO) will announce its decision on whether to punish Sony over last year’s significant data breach in the next six weeks, TechWeekEurope has learned.

Deputy commissioner David Smith revealed the body was close to the decision on events last year, which saw the Playstation Network (PSN) and other Sony sites hacked. Over 100 million customers’ data were compromised as a result of all the different compromises.

Smith said Sony had been “helpful” in working with the data protection watchdog on the investigation. The ICO has the power to fine Sony as much as £500,000 if it believes individuals were seriously affected by the breaches.

The ICO told TechWeekEurope it had nothing further to add, except “our enquiries are ongoing at this stage.” The body announced in April last year it was going to investigate the impact of the breach on UK citizens. There are around three million UK registered PlayStation users.

Sony suffers

After the PSN was hit, Sony suffered a torrid few months, which saw other sites, including the Sony Pictures website, attacked. Former LulzSec leader Hector Xavier Monsegur, also known as Sabu, pleaded guilty to helping hack the Sony Pictures site, along with a raft of other online services.

Sabu also went after Sony Music thanks to a tip on a vulnerability from a LulzSec supporter. Sony Music Belgium and Sony Music The Netherlands were also targeted, whilst Monsegur revealed a vulnerability found in Sony Music Russia to other members of LulzSec.

In May last year, Sony said the PSN breach was going to cost it at least $171 million. The company was also sued by one of its customers in the US in April last year.

The ICO has faced criticism for not coming down on large private companies hard enough before. When Google escaped a fine after it captured Wi-Fi payload data during its Street View rounds, the ICO said it was down to the fact that Google collected the data before the regulator had been given the ability to fine companies for data breaches. Nevertheless, it still came under fire.

It also took some flak for not issuing a tougher punishment for ACS:Law solicitor Andrew Crossley. ACS:Law was hacked by Anonymous after it sent letters to those believed to be committing copyright infringement, leaking recipients’ details. The ICO said it would have fined Crossley £200,000 but reduced that to £1,000 because he was “of limited means”.

Think you know security? Test yourself with our quiz.