LONDON--The U.K. Information Commissioner's Office Jan. 24 announced that it issued a monetary penalty notice levying a £250,000 ($394,745) fine on Sony Computer Entertainment Europe Ltd. after a 2011 hacking attack led to the disclosure of highly sensitive information of millions of customers.
In April 2011, Sony Inc. revealed that its PlayStation video gaming and Qriocity streaming music and video online networks had been hacked, exposing personal information on some 77 million user accounts (10 PVLR 672, 5/2/11). Sony announced May 2, 2011, that a second, earlier hacking breach compromised data on an additional 24.6 million user accounts (10 PVLR 691, 5/9/11).
The names, addresses, email addresses, dates of birth, account passwords, and payment card details of millions of customers were put at risk, the ICO said in a statement.
The monetary penalty notice was redacted to hide the exact number of millions of customers worldwide and millions of customers located in the United Kingdom that were affected by the breach.
Until the ICO's action, Sony had escaped enforcement fines. In May 2011, Japan's Ministry of Economy, Trade and Industry ordered Sony to improve its data security but did not to fine the company over the breach incident (10 PVLR 849, 6/6/11).
In September 2011, the Australian data protection authority, the Office of the Privacy Commissioner, only issued a warning to the company focused on what it said was an unsatisfactory delay in notifying affected customers of the breach (10 PVLR 1427, 10/3/11).
On Jan. 25, Australian Privacy Commissioner Timothy Pilgrim issued a statement on the ICO fining of Sony, recalling that his 2011 investigation found that the Australian arm of Sony did not directly control any personal information involved in the breach.
In any event, under the Australian Privacy Act, the DPA lacked the power to issue fines for data security violations, he said. He noted, however, that new fining authority is part of amendments to the Privacy Act passed in November 2012 (11 PVLR 1709, 12/3/12) that are set to take effect March 12, 2014. Under the amended law, the DPA may assess companies violating the Privacy Act up to A$1.1 million (nearly $1.5 million).
Describing the case as “one of the most serious ever reported to us,” the ICO's Deputy Commissioner and Director of Data Protection David Smith said in a statement that Sony's security measures were “simply not good enough” to prevent the criminal attack on its online entertainment database.
According to the monetary penalty notice, which is dated Jan. 14, Sony failed to ensure the network service provider it “kept up with technical developments,” despite the technical resources available. Sony also “failed to take the action required to address the vulnerability even though appropriate updates were available.”
The ICO said in the notice that the contravention was “particularly serious” because of the nature and amount of personal data and because of the number of individuals affected.
Since the breach, Sony has completely rebuilt its network with up-to-date and more sophisticated security measures, the penalty notice said. In particular, all customer account passwords have been changed and appropriately protected, and the software used by customers to access the system has been reconfigured to prevent any further exploitation, the ICO said.
Sony's fine equals the second highest fine ever issued by the ICO, which was levied against a local government authority in Scotland in September 2012 (11 PVLR 1476, 10/1/12). In June 2012, the ICO handed a record fine of £325,000 ($513,236) to an English hospital (11 PVLR 1081, 7/2/12).
By Ali Qassim
The redacted monetary penalty notice to Sony Computer Entertainment Europe's is available at http://www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx.