Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Fined In UK For PlayStation Network Hack

Posted by timothy on from the that's-barely-a-bonus-for-ceos dept.

Sockatume writes "The UK's information protection authority, the ICO, has fined Sony for failing to adequately secure the information of PlayStation Network users. The investigation was triggered by a 2011 security breach, during which personally identifying information (including password hashes) was recovered from a Sony database where it had been stored without encryption. In the ICO's view Sony's security measures were inadequate, and the attack could have been prevented. The £250,000 (ca. $400,000) fine, the largest the ICO has ever imposed, is equivalent to a few pennies per affected user. Sony disagrees with the ICO's decision and intends to appeal."

13 of 86 comments (clear)

  1. Appeal? Really? by Anonymous Coward · · Score: 2

    Encryption's been here for -how long-? As a standard, over a decade before you were hacked; I think more like a decade and a half. And you have a high profile. And you store credit card information.

    Eat it.

  2. My god! by serviscope_minor · · Score: 5, Insightful

    GBP 250,000

    That's a lot of money. I'm sure a multibillion sized corporation will really sit up and take notice. If they keep on doing that, say several hunded thousand times per year it might even affect their bottom line.

    --
    SJW n. One who posts facts.
    1. Re:My god! by 1s44c · · Score: 2

      The money might mean nothing to Sony but the embarrassment must.

      But if your point is that it's silly to fine a massive company so little then I totally agree.

    2. Re:My god! by zandeez · · Score: 2

      It is a pitiful amount considering the severity of the breech. However it's the maximum fine for such a breech allowed under UK law, which also speaks volumes.

    3. Re:My god! by tlhIngan · · Score: 2

      The money might mean nothing to Sony but the embarrassment must.

      It's an important point as it brings the whole breach back into light. And if Sony decides to fight it, they run a very real risk that some decision would come out during E3 and the reveal of the PS4.

      Now how do you think that would go over - Sony reveals the PS4 with online this and online that, followed by a headline about Sony's online service security breach? To most people, that won't inspire much confidence in Sony's online offerings - after heavily promoting it and then seeing some headline about security breaches on their online services.

      Even worse, the headline would be about a government agency that fined Sony for the online security breach.

      The last thing you want to instill is fear in some service you're offering just days after offering it. The damage would be much larger than any fine. Hell, prefix it a few days before with some news about some Facebook privacy breach and you'd find the people would get extremely gunshy.

      Given the speed of most government, appealing would really put the potential for an announcement to possibly happen during E3 or close to it.

    4. Re:My god! by Dale512 · · Score: 2

      Make it a percentage of executive pay.

    5. Re:My god! by ConfusedVorlon · · Score: 2

      EU anti-competition regulators can fine up to 10% of worldwide turnover.

      http://en.wikipedia.org/wiki/European_Union_competition_law#Enforcement

      --
      VLC Remote for iPhone and Android
  3. Good ... by gstoddart · · Score: 4, Insightful

    If companies start to realize they're legally on the hook for data security maybe they'll start trying harder.

    So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

    --
    Lost at C:>. Found at C.
    1. Re:Good ... by 1s44c · · Score: 5, Insightful

      So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

      From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

      Not that I'm saying it's just security people that get squeezed into doing a bad job when they really want to do a good one. It happens a lot.

  4. Irony by deathtopaulw · · Score: 3, Funny

    Does anyone else find it funny that they were disciplined by ICO, one of the few things Sony has ever gotten right?

  5. $400k? That's it? by eth1 · · Score: 5, Interesting

    I'm so sure that will get them to shape up right away...

    Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

    1. Re:$400k? That's it? by gnasher719 · · Score: 4, Insightful

      Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

      That's quite nonsensical since many big companies are in many different businesses. Take Samsung. They build ships. I assume that they are not better or worse than other companies building ships, so sometimes they will be fined. Except according to your plan, ten times more than other ship builders, because they are in many more businesses. Samsung also builds tractors. Again, I assume they are not better or worse than other companies building tractors, but if something goes wrong you want to fine them ten times more.

      There are Google employees driving around in little cars taking photos of all kinds of places. Sometimes they are speeding. Do you think Google should pay a million dollar fine every time one of their cars gets caught speeding? There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

  6. Fine not high enough by ikaruga · · Score: 3

    I kind of like sony, I have a Vita(not because of Sony but because it has reasonable third party support here in Japan, I really enjoy the library so far) and a Xperia phone(decent phone with great looks). But holy crap, their security setup pre-hacking was something a baby could build better. Considering the amount of DRM they put on their products, I would at least expect they take server side security and data encryption seriously. The PS3 took 5 years to get hacked, but the PSN goes down in a few days by a bunch of script kids? WTF!? $400000 is pocket money even for sony, the penalties should be much harsher so that sony doesn't not ever decide to commit the same mistake ever again but also to scare other lazy companies in to upgrading their cloud services.