Sony Computer Entertainment Europe Ltd are back in the news for all the wrong reasons as a result of the £250,000 fine handed out by the ICO for the company’s April 2011 security breach.
Back in 2011 hackers targeted the Sony PlayStation Network and obtained the names, addresses, email addresses, dates of birth and account passwords of 77m customers. It later emerged that the Sony Online Entertainment network had also been compromised, with a further 25m accounts at risk. Sony responded by shutting its online video game network on 20th April 2011, with the network remaining off line until mid-May. Sony lost hundreds of thousands in revenue from the outage, the company’s share price dropped dramatically as investors worried about the ultimate cost of the security breach and the then chief executive, Sir Howard Stringer, and other senior executives made humble and very public apologies. Since the hack, Sony claims to have rebuilt the PlayStation Network to be more secure.
The ICO has described this as “one of the most serious” breaches it has encountered, with David Smith, Deputy Commissioner stating that “There is no disguising that this is a company that should have known better. It is a company that trades on its technical expertise…and they had access to both the technical knowledge and the resources to keep this information secure”. The ICO concluded that the attack could have been prevented if Sony’s software had been up to date and separately identified issues surrounding the secure handling of passwords.
Sony went on record today to say that the company “strongly disagreed” with the ICO’s ruling and planned to appeal, adding that “Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient. The reliability of our network services and the security of our consumers’ information are of the utmost importance to us”.
The £250k fine is the largest yet levied against a private company and the third largest fine imposed to date by the ICO. But is it anything more than just a light tap on the wrist for the entertainment giant?
There has been much discussion recently on the proposed legislative changes defined within the EU Data Protection Regulation. The Regulation proposes to increase significantly the fines imposed by supervisory authorities, with a security breach such as Sony’s incurring a fine of up to one million euros or 2% of worldwide annual turnover - not so much a tap on the wrist, more a bruising blow to the heart of the organisation. Although there is much for businesses to criticise and to be concerned about in the proposed Regulation, this does seem a more appropriate response to the scale and character of the Sony breach.
So what quick lessons can we take away from the Sony story?
(For a simple guide to improving your data security download our First Five Steps to Data Security Whitepaper)