Sony has been fined £250,000 by the data watchdog for a breach that compromised the personal information of millions of PlayStation users. The Information Commissioner’s Office (ICO) issued the penalty after it found the attack on the Sony PlayStation Network in April 2011 could have been prevented.
Personal information including customers’ payment card details, names, addresses, e-mail addresses, dates of birth and account passwords were exposed.
Under the Data Protection Act (DPA) organisations must take “appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. The Act also requires organisations to ensure that the personal data they hold is “adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
David Smith, ICO deputy commissioner and director of data protection, said: “If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.”
Sony should have known better. It is a company that trades on its technical expertise, and there’s no doubt that it had access to both the technical knowledge and the resources to keep this information safe. Sony rebuilt its Network Platform to ensure that the personal information it processes is kept secure.
Marc Dautlich, data protection law specialist at Pinsent Masons, added: “Organisations need to be given guidance on what technical measures can be said to constitute an appropriate standard of security for the purposes of compliance with the Data Protection Act (DPA).
“The Sony appeal could be extremely interesting as it may provide an insight into what the ICO considers to be an appropriate standard of security that organisations have to have in place, particularly as it is a case involving a company in the private sector.
“Organisations are increasingly subject to malicious attacks and clarity from the ICO is needed about just how good security needs to be to meet the requirements of the DPA.
“This is an important issue at the moment, but it will come even more into focus if all organisations are mandatorily obliged to report data breach incidents as would be the case if proposed reforms to EU data protection laws are introduced as currently drafted.
“In our experience it is also very often the case that security incidents go hand-in-hand with a finding that organisations are holding too much personal data. This case should highlight the need for firms to concentrate on their retention policies and give the issue sufficient attention.”