Sony is still dealing with the aftermath from the massive security breach its PlayStation Network suffered in 2011. Although a class action lawsuit against the company was recently dismissed in the US, citing clauses in the terms of service noting that “there is no such thing as perfect security,” UK authorities feel the issue could have nonetheless been prevented and has decided to slap the company with a £250,000 (~$395,000) fine.
The Information Commissioner's Office (ICO) criticized the firm for not having up-to-date security software, and noted that “technical developments” led to passwords not being secure.
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," David Smith, deputy commissioner and director of data protection, said in a statement. “Sony should have known better. […] It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe,” he added. The ICO issued a report detailing its findings.
The breach exposed names, addresses, e-mail addresses, dates of birth, and passwords associated with some 77 million accounts. It also put credit card data at risk and resulted in Sony shutting down the network for several weeks. After remaining incredibly quiet for the first few days, the company offered an apology to its users, and launched an identity theft protection program a $1 million insurance policy per user as part of its mitigation measures. Since then the firm has also rebuilt the PlayStation Network system to be more secure.
Sony has until February 13 to pay the fine at a discount of 20% as well as the option to file an appeal. The company is doing the latter, arguing in a statement that it was the victim of a “focused and determined criminal attack” and that there is no evidence that users’ encrypted card details were accessed during the data breach.