The UK Information Commissioner’s Office (the “ICO”) has served a monetary penalty notice of £250,000 on Sony Computer Entertainment Europe following the hacking of Sony’s PlayStation Network in April 2011, which it described as a serious breach of the UK Data Protection Act (the “Act”). The ICO stated that Sony did not take "appropriate technical measures" to protect the security of customers’ personal data stored on the network, but it’s been reported that Sony strongly disagrees with this ruling and is planning an appeal.
The ICO penalty notice report alleged that the Network Platform was infiltrated following a number of Distributed Denial of Service (“DDoS”) attacks on various online networks of the Sony group. A DDoS attack is an attempt by hackers to make a resource unavailable to legitimate users through the use of malware installed on an infected computer. Whilst there are clearly ways of reducing the likelihood of attacks, DDoS are serious and unfortunate methods of 21st century e-crime.
The incident, in which personal details of gamers, including names, addresses, passwords and credit card numbers, were hacked, was described by the ICO as "likely to cause substantial damage or substantial distress," and left the customers exposed to a risk of identity theft. Having shut down the PlayStation Network during the investigations, Sony overhauled the entire system’s security infrastructure before re-granting access for customers.
Sony issued a statement strongly disagreeing with the ICO and indicating that it will appeal the monetary penalty notice. According to the statement, despite the ICO recognising that Sony was the victim of a criminal attack and that there was no evidence that encrypted payment card data was accessed or likely to be used for fraudulent purposes, a penalty was still issued. Sony acknowledged that criminal attacks on networks are on the increase and that it continually works to keep its networks resilient, secure and safe, because protecting its users’ data is of utmost importance.