Sony Corp.’s U.K. unit was fined 250,000 pounds ($394,500) by the country’s privacy regulator over a 2011 hacker attack that put the personal data of 77 million PlayStation users worldwide at risk.
Sony could have prevented the breach by keeping software up-to-date and ensuring that passwords were secure, the U.K. Information Commissioner’s Office said in a statement on its website.
The April 2011 hacker attacks on Sony’s Qriocity network, which provides PlayStation users with access to videos and games, compromised more than 100 million customer accounts, the second-largest online data breach in U.S. history. Sony suspended those services until July and budgeted 14 billion yen ($155.4 million) in costs that year. Two members of the LulzSec “hacktivist” group pleaded guilty last year to U.K. charges that they disrupted the websites of Sony, the U.S. Central Intelligence Agency and News Corp.
“If you are responsible for so many payment-card details and log-in details, then keeping that personal data secure has to be your priority,” said David Smith, the U.K.’s deputy commissioner and director of data protection. “In this case that just didn’t happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough.”
Sony said that it would appeal the decision.
“Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defense and working to make our networks safe, secure and resilient,” the company said in a statement.
The fine is the second-highest levied by the U.K. privacy regulator following a 325,000-pound penalty for Brighton and Sussex University Hospitals NHS Trust in June 2011.
“This is going to be the future,” said Flip Petillion, a lawyer in the Brussels office of law firm Crowell & Moring LLP. “For the last 20 years if companies didn’t respect data-protection rules, they got a briefing” or “a simple request to abide by the rules. This is definitely going to change and they will get fines.”
The European Union is pushing through an overhaul of the 27-nation bloc’s data-protection rules that may force anyone controlling data to notify regulators and individuals when a data breach is discovered.
EU Justice Commissioner Viviane Reding in November 2011, just over 6 months after the Sony hacker attack, said the “incident highlighted why companies need to reinforce the security of the information they hold.”