Sony Fined In UK For PlayStation Network Hack 86
Sockatume writes "The UK's information protection authority, the ICO, has fined Sony for failing to adequately secure the information of PlayStation Network users. The investigation was triggered by a 2011 security breach, during which personally identifying information (including password hashes) was recovered from a Sony database where it had been stored without encryption. In the ICO's view Sony's security measures were inadequate, and the attack could have been prevented. The £250,000 (ca. $400,000) fine, the largest the ICO has ever imposed, is equivalent to a few pennies per affected user. Sony disagrees with the ICO's decision and intends to appeal."
My god! (Score:5, Insightful)
GBP 250,000
That's a lot of money. I'm sure a multibillion sized corporation will really sit up and take notice. If they keep on doing that, say several hunded thousand times per year it might even affect their bottom line.
Good ... (Score:5, Insightful)
If companies start to realize they're legally on the hook for data security maybe they'll start trying harder.
So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.
Re:Good ... (Score:5, Insightful)
So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.
From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.
Not that I'm saying it's just security people that get squeezed into doing a bad job when they really want to do a good one. It happens a lot.
Re:$400k? That's it? (Score:5, Insightful)
Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.
That's quite nonsensical since many big companies are in many different businesses. Take Samsung. They build ships. I assume that they are not better or worse than other companies building ships, so sometimes they will be fined. Except according to your plan, ten times more than other ship builders, because they are in many more businesses. Samsung also builds tractors. Again, I assume they are not better or worse than other companies building tractors, but if something goes wrong you want to fine them ten times more.
There are Google employees driving around in little cars taking photos of all kinds of places. Sometimes they are speeding. Do you think Google should pay a million dollar fine every time one of their cars gets caught speeding? There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?