Sony Computer Entertainment Europe Limited (“Sony”) has received a fine for £250,000 from the Information Commissioner’s Office (“ICO”) following a serious breach of the Data Protection Act 1998 (“DPA”).
Under the DPA, Sony is treated as the “data controller” in respect of personal data provided by customers when they create an account to access the Sony PlayStation Network Platform (“Network Platform”).
In April 2011, the Network Platform was hacked, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth, account passwords and payment card details.
An ICO investigation found that the attack took place because of a software vulnerability. Moreover, it was found that Sony had failed to keep up to date with technical developments which meant that passwords were not secure. It was concluded that the attack could have been prevented if the software had been up-to-date.
Consequently, Sony was found by the Information Commissioner (“Commissioner”) to have been in serious breach of its obligation to comply with the data protection principles established by the DPA, namely the seventh data protection principle, which provides that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
The Commissioner exercised his powers to serve a monetary penalty of £250,000 on Sony as a data controller and, in determining this amount, considered the following aggravating and mitigating factors:
- Nature of the contravention: the contravention was considered serious because of the nature and vast amount of personal data placed at risk.
- Effect of the contravention: vast amounts of personal date were put at risk.
- Behavioural issues: Sony should have been aware of the software vulnerability and should have acted sooner.
- Impact on the Data Controller: Sony has sufficient financial resources to pay a monetary penalty up to the maximum (i.e. £500,000) without causing undue financial hardship.
- Nature of the contravention: Sony was subject to “a focused and determined criminal attack” and had taken steps to secure some aspects of the Network Platform.
- Effect of the contravention: the compromised personal data was unlikely to have been used for fraudulent purposes and no complaints had been received by the ICO.
- Behavioural issues: Sony voluntarily reported the contravention to the ICO and had been fully cooperative with the ICO investigations. It was also noted that Sony had taken “substantial remedial action” including informing the affected data subjects and offering reparation where appropriate.
- Impact on the Data Controller: the security breach had had a significant impact on Sony’s reputation.
In light of the above, the Commissioner considered that a monetary penalty of £250,000 (half of the maximum amount of £500,000) was reasonable and proportionate given the particular facts of the case – this is the largest penalty awarded by the ICO against a private company to date.
The Sony penalty highlights the need for organisations to ensure that they have appropriate and effective security measures in place to protect all personal data stored and processed on their computer systems (and, where such storage and processing is outsourced, to ensure that their providers have such measures). In the event of a breach, data controllers are also strongly advised to consider making a voluntary notification to the ICO and to co-operate fully with the ICO’s investigations, as these actions may be taken into account by the ICO as mitigating factors when assessing the level of the penalty to award.