Sony fined £250,000 after hackers gained access to millions of gamers’ details

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Remember the Sony PlayStation Network hack of 2011?

PlayStation Network maintenance message

Aside from causing the online gaming service to be taken offline for days as Sony system administrators scrabbled to secure the system, the personal information of millions of users was exposed during the hack attack.

Compromised data included of millions of customers’ names, addresses, email addresses, dates of birth and passwords. Payment card details were also put at risk.

Sign up to our free newsletter.
Security news, advice, and tips.

The April attack by hackers against the Sony Playstation Network heralded a series of other (over a dozen!) attacks against Sony websites around the world in the following months.

Today, the UK’s Information Commissioner’s Office has announced that it has issued a £250,000 fine against Sony for breaching the Data Protection Act.

David Smith, Deputy Commissioner and Director of Data Protection at the ICO, told the media that Sony should have done a better job at protecting its customers:

"If you are responsible for so many payment card details and login details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."

"There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

[youtube=http://www.youtube.com/watch?v=2vZHg2F4u5Q&w=500&h=311&rel=0]

Sony says it has since rebuilt its Playstation Network to better secure its users’ data.

Sony PlayStation NetworkAny company which is storing sensitive information about its customers should be doing everything in its power to prevent unauthorised access to the data.

That doesn’t just mean ensuring that your website is written securely, and that your servers are protected with up-to-date software and security patches but also that sensitive information is encrypted securely. Then, even if the data does fall into the hands of the bad guys, they can’t do anything with it.

A fine sends a strong message to other company that sloppiness when it comes to data security is not acceptable.

How many headlines do there have to be before companies take the issue more seriously?


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.