Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Fined In UK For PlayStation Network Hack

Posted by timothy on from the that's-barely-a-bonus-for-ceos dept.

Sockatume writes "The UK's information protection authority, the ICO, has fined Sony for failing to adequately secure the information of PlayStation Network users. The investigation was triggered by a 2011 security breach, during which personally identifying information (including password hashes) was recovered from a Sony database where it had been stored without encryption. In the ICO's view Sony's security measures were inadequate, and the attack could have been prevented. The £250,000 (ca. $400,000) fine, the largest the ICO has ever imposed, is equivalent to a few pennies per affected user. Sony disagrees with the ICO's decision and intends to appeal."

86 comments

  1. Appeal? Really? by Anonymous Coward · · Score: 2

    Encryption's been here for -how long-? As a standard, over a decade before you were hacked; I think more like a decade and a half. And you have a high profile. And you store credit card information.

    Eat it.

    1. Re:Appeal? Really? by Derekloffin · · Score: 1

      The credit card info was encrypted. Passwords were hashed. The personal info was the bit unencrypted but that's not exactly uncommon (even Valve doesn't encrypt that as their breach revealed).

    2. Re:Appeal? Really? by Jane+Q.+Public · · Score: 1

      "Encryption's been here for -how long-?"

      As the other poster stated: this information was NOT stored in plaintext. Passwords were hashed. Sony's statement tries to make an artificial distinction between encryption and hashing (perhaps to justify their earlier statement?) but the fact is that hashing is encryption. Just a particular form of it.

    3. Re:Appeal? Really? by Anonymous Coward · · Score: 0

      Nope. Wrong. Hashing is not AT ALL like encryption.

      With good encryption, if you encrypt the same plain text twice, you get two different ciphertexts (see for example AES-CBC). So someone who sees the the two ciphertexts of the same plaintext cannot even guess that they are related.

      With hashes it's a completely different story: you always get the same hash from a plaintext. This allows dictionary attacks (see http://en.wikipedia.org/wiki/Dictionary_attack). The sony hackers used that approach to find the passwords.

      One way to fix this is to used a KEYED hash function (assuming you keep the key secret). It's still not exactly as good as encryption but allows to avoid dictionary attacks.

    4. Re:Appeal? Really? by Jane+Q.+Public · · Score: 1

      "Nope. Wrong. Hashing is not AT ALL like encryption."

      Sorry, but you are wrong. Hashing IS a form of encryption.

      You, too, try to make an artificial distinction between what YOU call "good encryption" and other forms, which -- despite your protests to the contrary -- are still encryption.

      Encryption is merely an algorithmic means to hide information. That is all. Some methods are better than others; and some are more suitable for particular tasks than others.

      Further, encryption does not have to work both ways. Getting your information back is decryption.

    5. Re:Appeal? Really? by Anonymous Coward · · Score: 0

      OK. It's not just what "I" call "good encryption" that is encryption. In fact, it's what modern cryptography calls "encryption". One of the minimum requirements for an encryption algorithm is that is offers cyphertext indistinguishability ("http://en.wikipedia.org/wiki/Ciphertext_indistinguishability"). A hash has no such property.

      Anyways, I see people making this type of confusion every day in my job when I review security policies and architectures. Sony probably ran into these problems partially because they did the same thing, mixing integrity, authentication, encryption, three different things that are done differently, with different algorithms and different tools.

    6. Re:Appeal? Really? by Jane+Q.+Public · · Score: 1

      "I see people making this type of confusion every day in my job when I review security policies and architectures."

      I can play the Wikipedia game too. As Wikipedia says: "Ciphertext indistinguishability is a property of many encryption schemes." It does NOT say it is a requirement in order to qualify as "encryption". It's merely a feature common to MANY styles of encryption. For a given purpose, there exist good forms of encryption and bad forms of encryption. But they are all still encryption.

      One-way hash function are a form of encryption, and a properly-hashed plaintext is commonly (and rightfully) said to be "encrypted".

      I can produce a hundred dictionaries and technical texts that agree with this. For just one example of many, see Schneier's "Applied Cryptography".

      Perhaps you require indistinguishability for YOUR purposes. But some other uses have no such requirement. That does not make them "not encryption". You are trying to narrow the whole field of encryption to a rather small subset of your own choosing.

  2. My god! by serviscope_minor · · Score: 5, Insightful

    GBP 250,000

    That's a lot of money. I'm sure a multibillion sized corporation will really sit up and take notice. If they keep on doing that, say several hunded thousand times per year it might even affect their bottom line.

    --
    SJW n. One who posts facts.
    1. Re:My god! by 1s44c · · Score: 2

      The money might mean nothing to Sony but the embarrassment must.

      But if your point is that it's silly to fine a massive company so little then I totally agree.

    2. Re:My god! by Anonymous Coward · · Score: 1

      The ICO isn't a court of law, it doesn't haven't unlimited power, or the power to issue unlimited fines - and that's a good thing, since it prevents the ICO becoming abusive in its practices.

      That said, an ICO decision does not stop affected users from pursuing private claims against Sony, and anyone pursuing a private claim can point at this decision, so the actual costs of the decision could be much higher than the immediate fine. There's also the loss of trade avenue to consider - people who now won't do business with Sony having seeing this in the press, whether private users for their next console, or other companies that choose to work with a competitor over security concerns.

    3. Re:My god! by Anonymous Coward · · Score: 0

      Has nothing to do with the actual value. It's about protecting their image and diminishing the risks for future litigation.

      In their defense, I can say this, no security is complete or absolute. Also, I don't see Microsoft ever prosecuted for deliberately leaving 0-day security holes unpatched for months.

      Hypocrites.

    4. Re:My god! by zandeez · · Score: 2

      It is a pitiful amount considering the severity of the breech. However it's the maximum fine for such a breech allowed under UK law, which also speaks volumes.

    5. Re:My god! by SuricouRaven · · Score: 1

      I used to think it'd be a good idea to define all fines not in absolutes, but percentages of income (individuals) or profits (corporations). Then I realised that many mega-corps don't actually have much in the way of profits on paper, for tax purposes.

    6. Re:My god! by Merls+the+Sneaky · · Score: 1

      Define it as a percentage of total worth for corporations?

    7. Re:My god! by Anonymous Coward · · Score: 0

      If it was pounds of silver, it would be a sizable fine.
      Money isn't what it used to be.

    8. Re:My god! by hawkinspeter · · Score: 1

      As much as I hate to defend Microsoft, have they every lost loads of customer information from their own network? If someone chooses to use a Microsoft product that isn't secure, then that's their own problem and their fault for choosing an insecure product or not running firewalls/IDS etc.

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    9. Re:My god! by SuricouRaven · · Score: 1

      You'd just see similar issues with manipulating the numbers. Easy enough for a corporate giant to simply contract out most operations to smaller 'independant' companies for a token fee, acting as essentially subdivisions but with a clear legal distinction. Thus the fine would be applied only to a very small sub-company, rather than the giant owner.

    10. Re:My god! by Anonymous Coward · · Score: 1

      You can do a lot of security work for £250,000. It doesn't matter that the fine doesn't cripple them, just to make slack security practices more costly than doing the right thing. No company becomes a multibillion dollars by thinking that £250k is worth the effort of bothering to do anything about.

    11. Re:My god! by tlhIngan · · Score: 2

      The money might mean nothing to Sony but the embarrassment must.

      It's an important point as it brings the whole breach back into light. And if Sony decides to fight it, they run a very real risk that some decision would come out during E3 and the reveal of the PS4.

      Now how do you think that would go over - Sony reveals the PS4 with online this and online that, followed by a headline about Sony's online service security breach? To most people, that won't inspire much confidence in Sony's online offerings - after heavily promoting it and then seeing some headline about security breaches on their online services.

      Even worse, the headline would be about a government agency that fined Sony for the online security breach.

      The last thing you want to instill is fear in some service you're offering just days after offering it. The damage would be much larger than any fine. Hell, prefix it a few days before with some news about some Facebook privacy breach and you'd find the people would get extremely gunshy.

      Given the speed of most government, appealing would really put the potential for an announcement to possibly happen during E3 or close to it.

    12. Re:My god! by Anonymous Coward · · Score: 1

      The money might mean nothing to Sony but the embarrassment must.

      It must? Has it yet?

      No, seriously, go out in the real world, away from the ubergeek nerd communities and wannabe-freedom-fighters, and ask PS3 owners if they even remember anything about the Sony data breach. Ask them if they even heard about it in the first place while they're drooling over the next God of War or Metal Gear Semipermeable: REVENGENCEFUL. Go ask people who watch movies produced by one of Sony's labels, or listen to albums by similar. See how much the "embarrassment" hurt Sony.

      Then once you've learned just how little it changed anything, head back to your bed, curl up in a ball, and have a good, long cry. That last part wasn't an order, by the way. It was a statement of future fact.

    13. Re:My god! by martinmarv · · Score: 1

      No, it's not the maximum fine under UK law - that's £500K. See http://www.theregister.co.uk/2010/04/05/ico_power_analysis/

      The summary isn't even about it being the highest fine imposed so far by the ICO for a breach of the Data Protection Act. There was a £325K fine imposed on an NHS trust. See http://www.ico.gov.uk/news/latest_news/2012/nhs-trust-fined-325000-following-data-breach-affecting-thousands-of-patients-and-staff-01062012.aspx

    14. Re:My god! by Dale512 · · Score: 2

      Make it a percentage of executive pay.

    15. Re:My god! by ConfusedVorlon · · Score: 2

      EU anti-competition regulators can fine up to 10% of worldwide turnover.

      http://en.wikipedia.org/wiki/European_Union_competition_law#Enforcement

      --
      VLC Remote for iPhone and Android
    16. Re:My god! by Gravatron · · Score: 1

      No one, outside the anti-sony fanboys, really cared the first time, seeing as most psn users came right back as soon as the system relaunched. Sony was, for most, seen as the victim of the attack, along with it's users, with the blame rightfully falling on the criminals who preformed it. It's not like sony leaked the information, someone broke in and stole it.

    17. Re:My god! by aztracker1 · · Score: 1

      A lot of executive compensation is in stock options, and not worth much without exercising those options.

      --
      Michael J. Ryan - tracker1.info
    18. Re:My god! by RoknrolZombie · · Score: 1

      I doubt it...they seemed to recover rather quickly from the fallout from their rootkits...

    19. Re:My god! by Anonymous Coward · · Score: 0

      In their defense, I can say this, no security is complete or absolute.

      You're defending Sony?!? Yes, their security was complete ane absolute because they had NO SECURITY (you dis say "no security" was complete and absolute).

      Here's a hint, Mr. Hirai -- if you're going to shill, get an account. Nobody will see either of our comments.

    20. Re:My god! by AmiMoJo · · Score: 1

      There is talk of increasing the limit to a percentage of the company's global profits.

      The real scandal is that Sony has not had to compensate those affected. At least people in the US got some free identity protection, we got bugger all.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    21. Re:My god! by greg1104 · · Score: 1

      You have to make the fine based on the gross sales of the associated product. If this were even 1% of all PS3 and Playstation Store sales, it would be a real fine. Anything else is trivially gamed to zero, the same way taxes are.

    22. Re:My god! by SuricouRaven · · Score: 1

      I considered that too. But that isn't fair - such a fine would be far more serious for a low-margin high-volume company than a high-margin low-volume company.

    23. Re:My god! by mpe · · Score: 1

      Easy enough for a corporate giant to simply contract out most operations to smaller 'independant' companies for a token fee, acting as essentially subdivisions but with a clear legal distinction.

      They might have such a system already in place for tax avoidance too.

    24. Re:My god! by 1s44c · · Score: 1

      Hey! I never said Sony would die of embarrassment or that this fine would cause them massive additional loss of face.

      I only said the damage done by the bad press must be greater than the rather small fine. A few people would have noticed, a few people who might otherwise buy Sony products might just go buy something else.

    25. Re:My god! by jonbryce · · Score: 1

      It's the largest fine ever given to a private company, but not the maximum fine allowed by the law. Some local authorities have had larger fines.

    26. Re:My god! by Anonymous Coward · · Score: 0

      For companies on the stock market, just use percentage of total stock value.
      I don't think any stock owners (owners of said company) will want to diminish that number in the slightest, the opposite is true.

    27. Re:My god! by Anonymous Coward · · Score: 0

      Holy crap, is this the spelling/grammar mistake thread or what?

      So far:

      breech -> breach (breech is a real English word, it just isn't what you're trying to say)
      independant -> independent (this is just EPIC FAIL)

      And yes, IAAET (I Am An English Teacher)

      Go ahead and keep 'em coming, if you must...

    28. Re:My god! by SuricouRaven · · Score: 1

      The classic offshore subsiduary. Good for all manner of legal evasions, as well as legitimate business purposes.

  3. Good ... by gstoddart · · Score: 4, Insightful

    If companies start to realize they're legally on the hook for data security maybe they'll start trying harder.

    So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

    --
    Lost at C:>. Found at C.
    1. Re:Good ... by 1s44c · · Score: 5, Insightful

      So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

      From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

      Not that I'm saying it's just security people that get squeezed into doing a bad job when they really want to do a good one. It happens a lot.

    2. Re:Good ... by malignant_minded · · Score: 1

      I don't know is this a good thing? What about small companies that just want to sell something? There are ways of pushing the compliance on someone else for a fee but perhaps what data is necessary for this stuff and a complete overhaul of our payment systems would be better. I am not saying companies should not be PCI compliant but credit card issuers should also be required to come up with something better.

    3. Re:Good ... by Anonymous Coward · · Score: 0

      the fine is less than actually designing and implementing a secure solution. the fine is likely less than sony will spend on lawyers fighting it. sony must really not want to establish guilt or precedence.

    4. Re:Good ... by gstoddart · · Score: 1

      I don't know is this a good thing? What about small companies that just want to sell something?

      If you live in a place which has data protection laws like Europe, then you need to comply with them.

      Incompetent isn't a reason to not be adhering to the data security laws in the first place. Neither is "too hard".

      --
      Lost at C:>. Found at C.
    5. Re:Good ... by malignant_minded · · Score: 1

      So how many credit cards were compromised and how is this fine proportionate? How does this put a dent in a large corporation? All it does is eliminate smaller business. My point was that the means of purchasing something are insecure and that insecurity is passed on to the seller. That should be corrected. In fact it would probably be better if credit card companies had to deal with all this security themselves similar to how you can get redirected to Paypal for completing a transaction. So when your credit card info is leaked it is the credit card losing real business.

    6. Re:Good ... by am+2k · · Score: 1

      From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

      Well, that still does the job it's supposed to: If something happens, the manager is not to blame, because he's the one who hired the security guy.

    7. Re:Good ... by helix2301 · · Score: 1

      This was a major hack they got the site backup then next day went down again service was down for about 2 weeks if not more.

      --
      http://www.thetechnologygeek.org
  4. Irony by deathtopaulw · · Score: 3, Funny

    Does anyone else find it funny that they were disciplined by ICO, one of the few things Sony has ever gotten right?

    1. Re:Irony by Anonymous Coward · · Score: 1

      First thing i thought about as well when i read the acronym. :D

  5. $400k? That's it? by eth1 · · Score: 5, Interesting

    I'm so sure that will get them to shape up right away...

    Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

    1. Re:$400k? That's it? by gnasher719 · · Score: 4, Insightful

      Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

      That's quite nonsensical since many big companies are in many different businesses. Take Samsung. They build ships. I assume that they are not better or worse than other companies building ships, so sometimes they will be fined. Except according to your plan, ten times more than other ship builders, because they are in many more businesses. Samsung also builds tractors. Again, I assume they are not better or worse than other companies building tractors, but if something goes wrong you want to fine them ten times more.

      There are Google employees driving around in little cars taking photos of all kinds of places. Sometimes they are speeding. Do you think Google should pay a million dollar fine every time one of their cars gets caught speeding? There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

    2. Re:$400k? That's it? by 1s44c · · Score: 1

      That's just bizarre. Regulatory agencies don't want to run companies, they want the companies to run themselves in a responsible way. They are not in the investing game and should never be put in a position where they have an incentive to favor one company over another.

      Cash should be used for fines, ideally that cash should not go to the organization that imposed the fine.

    3. Re:$400k? That's it? by saphena · · Score: 1

      If you want to change behaviour using sticks rather than carrots you do need to use an appropriate stick. Hitting an elephant with a matchstick probably won't influence his behaviour much, hitting him with a telegraph pole might get his attention.

      If Google was fined $1,000,000 every time one of their employees gets caught speeding, they'd pretty soon figure out how to prevent their employees speeding (or at least getting caught)

    4. Re:$400k? That's it? by gnasher719 · · Score: 1

      If Google was fined $1,000,000 every time one of their employees gets caught speeding, they'd pretty soon figure out how to prevent their employees speeding (or at least getting caught)

      On the other hand, Microsoft and Apple would hand over a bit of cash to 100 or so drivers, and next day Google would be bankrupt.

    5. Re:$400k? That's it? by eth1 · · Score: 1

      That's just bizarre. Regulatory agencies don't want to run companies, they want the companies to run themselves in a responsible way. They are not in the investing game and should never be put in a position where they have an incentive to favor one company over another.

      Of course they don't - and probably wouldn't. The point is that the fact that they *could* should scare the shit out of the board and shareholders, so that they don't have to.

    6. Re:$400k? That's it? by Anonymous Coward · · Score: 0

      Do you think they should pay 1,000 times more per ticket because they are bigger?

      Yes, the purpose of the fine is not to cover the expenses or the damage caused by an action (This should be done on top of the fine.) but to work as a deterrent.
      If the fine doesn't scale with income it means that rich people are immune to for example speeding tickets.

      If Google have enough money to ignore million dollar fines and their cars keep speeding then the fines have to be raised because the purpose is that they should stop speeding. If a fine of a single cent was enough for them to stop then it would also be reasonable.
      Part of the point is that the offender never should be in a position where he can make the call that it is more profitable to ignore the law and take the fine than to follow the law.

      Another method is to use deterrents that doesn't need to be scaled. Imprisonment is one of those since it is as deterring for a rich person as it is for a poor person.

    7. Re:$400k? That's it? by AmiMoJo · · Score: 1

      Fortunately companies are required to report their income from different parts of the business, so it wouldn't be hard for someone qualified to look at the accounts and say "10% of your shipbuilding related turnover".

      There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

      These fines are generally reserved for large, systematic failures. If the larger company was continually telling its drivers to speed, removing speed limiters from its vehicles and so forth a proportional fine would be in order. Otherwise it is ineffective and they could be in a position where simply paying the smaller fines costs them less than breaking the law does, so they carry on doing it.

      I seem to recall a case in the US where a car manufacturer decided to simply pay compensation to people killed or injured rather than do a recall.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:$400k? That's it? by Anonymous Coward · · Score: 0

      Considering that they benefit massively from being such a large, diverse company - to the point of harming competitiveness within a specific market area because they don't have to worry about being as efficient as possible from the get-go, i.e. can take a risk with lower margins and not go under if it goes wrong - I think they should also be presented with a a risk relative to their size to balance the benefit they receive from this.

      Keep in mind - the point of these regulations is not to make everything fair for everybody. The point is to make things better/fairer for the general public. This means that sometimes it will seem unfair to big companies from a limited scope - however since they have massive advantages when taking the whole scope into account it all works out.

      To take your example - Samsung could be downright dangerous in building their boats and still not risk their own future if the fines are kept low to make it 'fair'. If we want to ensure maximum safety and quality in the products made then we have to take into account the benefit that they're great size/prosperity grants them and fine them accordingly for it to have any actual effect as a deterrent.

    9. Re:$400k? That's it? by Anonymous Coward · · Score: 0

      It was Ford, regarding the Ford Pinto, and the omission of a plastic cover over some exposed bolts on (IIRC) the differential.

      Interestingly, in Canada, they fitted said plastic cover.

  6. Re:Hacks by Anonymous Coward · · Score: 0

    erm.... Slashdot is dead. Long live Slasdot?

  7. Too small to be a deterrent, surely? by Anonymous Coward · · Score: 0

    How many developers do you think it'd take to secure Playstation Network? Because 250K will barely get you a single developer for three years (paying the developer 60K a year plus 20K for office space and some part of the salary for a manager, HR person, IT department, etc)

    1. Re:Too small to be a deterrent, surely? by gl4ss · · Score: 1

      maybe if every country sony operated in then it wouldn't..

      --
      world was created 5 seconds before this post as it is.
  8. Don't worry, they are now on schedule! by Anonymous Coward · · Score: 0

    Sony understands the importance of providing service to their customers, and are on schedule to achieve their 'five nines' in network reliability in the year 8583.

  9. Why fine them? by Anonymous Coward · · Score: 0

    Lets face facts here...

    Over the course of the past few years mastercard, paypal, a dozen or so game companies, a couple middle eastern governments various police agencies and hb gary (a god damn cyber security company of all things) all get hacked by the same orginzation as sony did. All those companies were damaged, they had tons of personal data leaked onto the net and worse. But for some reason everyone wants to only hate sony and blame sony.

    So if you want to blame sony for poor security then why arent you blaming the other couple dozen orginzations and goverments that were hit harder with more security damaged?

    Thats as stupid as if someone robs 4 houses on a street but blaming one house out of that dozen for all the robberies and trying to sue them. They didnt do the robbing and they got robbed just like everyone else did.

    Oh and guess what? Sony reported the breach faster than anyone else did. They also offered free identity protection to ALL OF THEIR CUSTOMERS, for free. And in the end guess what else? No real information was leaked that was viable. Why? Because the needed secure data was actually secure and seperate. So yeah they got credit card numbers but they had no routing numbers, no names and no CCV codes to use them with. No one had their identity stolen, no credits were frauded and nothing bad happened. Can you say the same for the other places annonymous hacked? No you cant.

    So why blame and hate sony? Ill tell you why, because you dont know why, all you know is its the cool thing to do and people lined up in droves to bash them and trying to get a handout in form of pointless lawsuits and fines.

    1. Re:Why fine them? by hawkinspeter · · Score: 1

      Why blame Sony? How about storing personal details of customers unencrypted? Did any other of those organisation do something so stupid?

      --
      You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
    2. Re:Why fine them? by Wamoc · · Score: 1
      The reason Sony is being fined is because of how their security was implemented. The other companies had actual security in place. Sony's security was the equivalent of a sign on the data saying "Please don't take this". The ICO knows that no security is 100% safe, but expects companies to at least attempt to keep data safe (which Sony did not do in this case). Sony also had every single one of its divisions customer data hacked.

      They also offered free identity protection to ALL OF THEIR CUSTOMERS, for free.

      I never got an offer of free identity protection when my data was stolen. The emails I got from them basically said "By the way, you may want to keep an eye out for identity theft". My data wasn't stolen through the PSN, but through the online MMO games portion.

    3. Re:Why fine them? by Sockatume · · Score: 1

      I've got a very well-written response here but in order to stick to my rule of not feeding the trolls I'll just point out that your clearly don't know the facts of the case very well and your argument is laughably specious.

      --
      No kidding!!! What do you say at this point?
    4. Re:Why fine them? by Gravatron · · Score: 1

      I'd wager more do then you think. Personal data by itself, minus a few select items, is not exactly confidential. I can easily look up much of your data with a phonebook after all. Stuff that was important, like CC info, was indeed encrypted, as is normal.

    5. Re:Why fine them? by TapeCutter · · Score: 1

      Great post, pity everyone else is too busy dressing up as Guy Fawkes and throwing rocks to actually read it.

      --
      And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
  10. Not the largest fine by Anonymous Coward · · Score: 1

    This is not the largest fine for data breaches imposed by the ICO.

    The largest went to Brighton and Hove NHS hospitals, after they contracted with a data destruction firm to destroy hard drives used by the HIV clinic. A staff member of the destruction contractor stole the drives and forged a destruction certificate, before selling the drives on eBay where they were picked up by a data recovery firm among other people.

    The hospital was fined £325k. It is not reported what happened to the data destruction company.

    1. Re:Not the largest fine by Sockatume · · Score: 1

      My bad. It's the largest organisation to be fined that is not a local authority.

      --
      No kidding!!! What do you say at this point?
  11. Good. by Anonymous Coward · · Score: 0

    Only way they'll learn. If you can't secure credit card information securely, don't store it at all?

  12. Cost of business by Anonymous Coward · · Score: 0

    Just the cost of business.

    Now if they actually jailed the person in charge of infosec, that might get something to change.

  13. What about Facebook? by Anonymous Coward · · Score: 0

    All that information is just sitting their exposed by default, and in some cases exposed regardless of user intervention because there is simply no option to disable it.

    Facebook would reverse the big bang because of how hard they would get sued for information leaks.

    So, why not them too? They are the worst information leak offenders of today.

  14. Fine not high enough by ikaruga · · Score: 3

    I kind of like sony, I have a Vita(not because of Sony but because it has reasonable third party support here in Japan, I really enjoy the library so far) and a Xperia phone(decent phone with great looks). But holy crap, their security setup pre-hacking was something a baby could build better. Considering the amount of DRM they put on their products, I would at least expect they take server side security and data encryption seriously. The PS3 took 5 years to get hacked, but the PSN goes down in a few days by a bunch of script kids? WTF!? $400000 is pocket money even for sony, the penalties should be much harsher so that sony doesn't not ever decide to commit the same mistake ever again but also to scare other lazy companies in to upgrading their cloud services.

    1. Re:Fine not high enough by StoneyMahoney · · Score: 1

      It probably cost them less in fines that it would have to actually have the network running over that time. Pointless...

    2. Re:Fine not high enough by Gravatron · · Score: 1

      It wasn't just script kiddies though. They, iirc, used hacked consoles, and amazon cloud servers, to force their way in to some area where they had access to psn user data. I'm not sure they ever released how, exactly, it was done though. Seeing as sony rebuilt their entire network, and has suffered no further PSN breached, i'd say they learned their lesson.

    3. Re:Fine not high enough by Anonymous Coward · · Score: 0

      if you like sony you're a fucking idiot just looking to be abused

  15. Re:Hacks by Anonymous Coward · · Score: 0

    Yo, Bubba. You started dying the moment you were born. Yes, you're dying, chump. You own future is bleak. You're going to spend a small part of eternity as a bag of bones in a coffin. When some geologic event occurs, to expose your bones to the elements, your bones will be broken down into the minerals from which they were built. Unless, of course, some critter decides to gnaw on your bones. Then, some of your molecules might know a few more moments of life, before being shit out onto the ground. Bleak indeed. No matter though - no one is going to miss you.

  16. fine nothing compared to lost sales by ZombieBraintrust · · Score: 1

    Fine a drop in the bucket compared to the PSN store being down for several weeks. Games released when PSN down also did not sell well. They also purchased credit card theft insurance for all their users who had credit card info on PSN. They also had to give out free games to get people to bring back good will from users. So even without fine the market punished Sony quite a bit.

  17. Lost sales dwarf fines by ZombieBraintrust · · Score: 1

    Sony lost plenty of money when the store was down. Disk based games didn't sell because people wanted to play multiplayer. Consoles didn't sell because of the bad press. DLC and PSN games didn't sell because the store was down. After it came back up many people removed their credit card info and stopped buying DLC and PSN games.

  18. Re:Hacks by g0bshiTe · · Score: 1

    Not really bleak when you consider that energy is neither created nor exhausted only converted. I for one welcome our future poop overlords.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  19. Fine the victim? by Anonymous Coward · · Score: 0

    Someone breaks in your home and steals your address book, you then sue the owner of the book for not securing it? UK logic is fun.

  20. Not about money by Flipstylee · · Score: 1

    It's a PR slap, the money is irrelevant, it's what could be done, and i wish we would do more of that at here in the US.
    Alot of sensitive information was let out into the open, and i was affected in that i had to get a new card. Not a problem. Then it happened again.
    So i get another new card, and i now have a fancy blu-ray player, completely isolated and not connected, not subscribing to or buying anything. Not a problem.

    1. Re:Not about money by Anonymous Coward · · Score: 0

      Yep, the money is irrelevant. Fact is, Sony will be appearing in a million articles over the next few years as "Sony, which has previously faced fines for its privacy lapses, ....". It's notable, quotable and memorable.

      Which is the kind of PR agony that makes large company's Reputational Risk people jump off bridges. In some office, there are senior board members who are about to have a meeting with someone who is about to have the worst day of their life. In every interview for every consultant, prospective employee or grad, this embarassment is going to hang in the air like a very bad fart - for a while. Every security consultant who has worked for Sony is currently rewording their CV. This is very very public, and extremely hard to patch in people's minds.

      That's the true cost.

  21. And out of all this... by thatbloke83 · · Score: 1

    ...I still can't figure out what grounds Sony could possibly have for an appeal.

    They "Strongly disagree" with the ruling. I suppose it's in their best interests to disagree, but based on the publicly known information about this hack, how could they possibly hope to succeed in overturning this ruling?

  22. Wonder how secure ICO is by Anonymous Coward · · Score: 0

    Karma baby