Sony plans appeal but isn’t getting much sympathy from the security community
Sony has been slapped with a £250,000 fine for failing to adequately fend off hacks of its network, which hit its gaming arm in April 2011, but the electronics giant is gearing up for an appeal.
Almost two years after PlayStation Network (PSN) servers were hacked, and data on 77 million global gamers compromised, the Information Commissioner’s Office (ICO) has finally taken action. As many as three million were believed to have been affected in the UK.
It has taken some time for the ICO to come to a conclusion, having kicked off an investigation in April 2011. The data privacy watchdog told TechWeekEurope in March last year it was likely to issue a decision on the PSN hack within six weeks. The information commissioner himself, Christopher Graham, told this publication in early November a decision was imminent.
The ICO told TechWeekEurope today it had been faced with a strong backlash from Sony’s lawyers, after it informed the company it was planning on issuing a fine.
“Sony Computer Entertainment Europe’s lawyers sent back lengthy representations explaining their position in some technical detail,” a spokesperson explained. “We then needed to go through them this end, before ultimately deciding to issue the Civil Monetary Penalty Notice you see today.”
Sony was battered by hackers and hacktivists in 2011, with over 100 million users eventually affected. The PlayStation maker came in for heavy criticism for allegedly weak security surrounding its PSN community. It responded by offering repeated apologies and compensation, including free games, to users, as well as employing its first ever chief information security officer (CISO).
Sony said it “strongly disagrees with the ICO’s ruling and is planning an appeal”. “SCEE [Sony Computer Entertainment Europe] notes, however, that the ICO recognises Sony was the victim of ‘a focused and determined criminal attack,’ that ‘there is no evidence that encrypted payment card details were accessed,’ and that ‘personal data is unlikely to have been used for fraudulent purposes’ following the attack on the PSN.”
This is the first time the ICO has issued a fine to a company that suffered a hacking incident. It is also the third biggest fine the body has handed out – the Brighton and Sussex University Hospitals NHS Trust having taken the biggest at £325,000.
“The security measures in place were simply not good enough,” said deputy commissioner David Smith. “There’s no disguising that this is a business that should have known better.
“It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.
“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”
In its penalty notice, the ICO blanked out what vulnerability the attacker used to break into the site. It noted Sony did not take the action required to address the vulnerability, “even though appropriate updates were available”.
The ICO said Sony should have anticipated attacks on its site, given it was hit by various distributed denial of service (DDoS) attacks before.
Rik Ferguson, global vice president of security research at Trend Micro, said the fine was appropriate, given the apparent lax security practices at Sony.
“If anything you could argue that the fine amounts to no more than a slap on the wrist as it equates to about 0.003 pence per affected individual,” Ferguson told TechWeekEurope.
“The data breach itself could have been prevented by better server management but perhaps more critically, the sensitive data that was stored was not protected in any meaningful way and was available in clear text to the attacker. This is absolutely a breach of information protection legislation.”
Check Point’s UK managing director, Terry Greer-King, added: “A single layer of perimeter security isn’t really enough in the current threat climate.”
Despite the criticisms, an exclusive from TechWeekEurope last year revealed the ICO only received one complaint relating to the Sony breach.
Respect privacy? Try our privacy quiz!