Forgot your password?
typodupeerror
Businesses PlayStation (Games) Privacy Security Games IT

Sony Fined In UK For PlayStation Network Hack 86

Posted by timothy
from the that's-barely-a-bonus-for-ceos dept.
Sockatume writes "The UK's information protection authority, the ICO, has fined Sony for failing to adequately secure the information of PlayStation Network users. The investigation was triggered by a 2011 security breach, during which personally identifying information (including password hashes) was recovered from a Sony database where it had been stored without encryption. In the ICO's view Sony's security measures were inadequate, and the attack could have been prevented. The £250,000 (ca. $400,000) fine, the largest the ICO has ever imposed, is equivalent to a few pennies per affected user. Sony disagrees with the ICO's decision and intends to appeal."
This discussion has been archived. No new comments can be posted.

Sony Fined In UK For PlayStation Network Hack

Comments Filter:
  • by Anonymous Coward

    Encryption's been here for -how long-? As a standard, over a decade before you were hacked; I think more like a decade and a half. And you have a high profile. And you store credit card information.

    Eat it.

    • The credit card info was encrypted. Passwords were hashed. The personal info was the bit unencrypted but that's not exactly uncommon (even Valve doesn't encrypt that as their breach revealed).
    • "Encryption's been here for -how long-?"

      As the other poster stated: this information was NOT stored in plaintext. Passwords were hashed. Sony's statement tries to make an artificial distinction between encryption and hashing (perhaps to justify their earlier statement?) but the fact is that hashing is encryption. Just a particular form of it.

  • My god! (Score:5, Insightful)

    by serviscope_minor (664417) on Thursday January 24, 2013 @11:57AM (#42680583) Journal

    GBP 250,000

    That's a lot of money. I'm sure a multibillion sized corporation will really sit up and take notice. If they keep on doing that, say several hunded thousand times per year it might even affect their bottom line.

    • by 1s44c (552956)

      The money might mean nothing to Sony but the embarrassment must.

      But if your point is that it's silly to fine a massive company so little then I totally agree.

      • by zandeez (1917156)
        It is a pitiful amount considering the severity of the breech. However it's the maximum fine for such a breech allowed under UK law, which also speaks volumes.
      • by tlhIngan (30335)

        The money might mean nothing to Sony but the embarrassment must.

        It's an important point as it brings the whole breach back into light. And if Sony decides to fight it, they run a very real risk that some decision would come out during E3 and the reveal of the PS4.

        Now how do you think that would go over - Sony reveals the PS4 with online this and online that, followed by a headline about Sony's online service security breach? To most people, that won't inspire much confidence in Sony's online offerings - aft

        • by Gravatron (716477)
          No one, outside the anti-sony fanboys, really cared the first time, seeing as most psn users came right back as soon as the system relaunched. Sony was, for most, seen as the victim of the attack, along with it's users, with the blame rightfully falling on the criminals who preformed it. It's not like sony leaked the information, someone broke in and stole it.
      • by Anonymous Coward

        The money might mean nothing to Sony but the embarrassment must.

        It must? Has it yet?

        No, seriously, go out in the real world, away from the ubergeek nerd communities and wannabe-freedom-fighters, and ask PS3 owners if they even remember anything about the Sony data breach. Ask them if they even heard about it in the first place while they're drooling over the next God of War or Metal Gear Semipermeable: REVENGENCEFUL. Go ask people who watch movies produced by one of Sony's labels, or listen to albums by similar. See how much the "embarrassment" hurt Sony.

        Then once y

        • by 1s44c (552956)

          Hey! I never said Sony would die of embarrassment or that this fine would cause them massive additional loss of face.

          I only said the damage done by the bad press must be greater than the rather small fine. A few people would have noticed, a few people who might otherwise buy Sony products might just go buy something else.

      • Fine a drop in the bucket compared to the PSN store being down for several weeks. Games released when PSN down also did not sell well. They also purchased credit card theft insurance for all their users who had credit card info on PSN. They also had to give out free games to get people to bring back good will from users. So even without fine the market punished Sony quite a bit.
      • I doubt it...they seemed to recover rather quickly from the fallout from their rootkits...
      • by AmiMoJo (196126) *

        There is talk of increasing the limit to a percentage of the company's global profits.

        The real scandal is that Sony has not had to compensate those affected. At least people in the US got some free identity protection, we got bugger all.

    • by Anonymous Coward

      The ICO isn't a court of law, it doesn't haven't unlimited power, or the power to issue unlimited fines - and that's a good thing, since it prevents the ICO becoming abusive in its practices.

      That said, an ICO decision does not stop affected users from pursuing private claims against Sony, and anyone pursuing a private claim can point at this decision, so the actual costs of the decision could be much higher than the immediate fine. There's also the loss of trade avenue to consider - people who now won't do

    • by Anonymous Coward

      You can do a lot of security work for £250,000. It doesn't matter that the fine doesn't cripple them, just to make slack security practices more costly than doing the right thing. No company becomes a multibillion dollars by thinking that £250k is worth the effort of bothering to do anything about.

  • Good ... (Score:5, Insightful)

    by gstoddart (321705) on Thursday January 24, 2013 @11:57AM (#42680585) Homepage

    If companies start to realize they're legally on the hook for data security maybe they'll start trying harder.

    So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

    • Re:Good ... (Score:5, Insightful)

      by 1s44c (552956) on Thursday January 24, 2013 @12:24PM (#42680745)

      So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

      From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

      Not that I'm saying it's just security people that get squeezed into doing a bad job when they really want to do a good one. It happens a lot.

      • by am 2k (217885)

        From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

        Well, that still does the job it's supposed to: If something happens, the manager is not to blame, because he's the one who hired the security guy.

    • I don't know is this a good thing? What about small companies that just want to sell something? There are ways of pushing the compliance on someone else for a fee but perhaps what data is necessary for this stuff and a complete overhaul of our payment systems would be better. I am not saying companies should not be PCI compliant but credit card issuers should also be required to come up with something better.
      • by gstoddart (321705)

        I don't know is this a good thing? What about small companies that just want to sell something?

        If you live in a place which has data protection laws like Europe, then you need to comply with them.

        Incompetent isn't a reason to not be adhering to the data security laws in the first place. Neither is "too hard".

        • So how many credit cards were compromised and how is this fine proportionate? How does this put a dent in a large corporation? All it does is eliminate smaller business. My point was that the means of purchasing something are insecure and that insecurity is passed on to the seller. That should be corrected. In fact it would probably be better if credit card companies had to deal with all this security themselves similar to how you can get redirected to Paypal for completing a transaction. So when your
    • This was a major hack they got the site backup then next day went down again service was down for about 2 weeks if not more.
  • Irony (Score:3, Funny)

    by deathtopaulw (1032050) on Thursday January 24, 2013 @11:58AM (#42680593) Homepage
    Does anyone else find it funny that they were disciplined by ICO [wikipedia.org], one of the few things Sony has ever gotten right?
    • by Anonymous Coward

      First thing i thought about as well when i read the acronym. :D

  • $400k? That's it? (Score:5, Interesting)

    by eth1 (94901) on Thursday January 24, 2013 @12:00PM (#42680607)

    I'm so sure that will get them to shape up right away...

    Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

    • by gnasher719 (869701) on Thursday January 24, 2013 @12:30PM (#42680787)

      Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

      That's quite nonsensical since many big companies are in many different businesses. Take Samsung. They build ships. I assume that they are not better or worse than other companies building ships, so sometimes they will be fined. Except according to your plan, ten times more than other ship builders, because they are in many more businesses. Samsung also builds tractors. Again, I assume they are not better or worse than other companies building tractors, but if something goes wrong you want to fine them ten times more.

      There are Google employees driving around in little cars taking photos of all kinds of places. Sometimes they are speeding. Do you think Google should pay a million dollar fine every time one of their cars gets caught speeding? There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

      • by saphena (322272)

        If you want to change behaviour using sticks rather than carrots you do need to use an appropriate stick. Hitting an elephant with a matchstick probably won't influence his behaviour much, hitting him with a telegraph pole might get his attention.

        If Google was fined $1,000,000 every time one of their employees gets caught speeding, they'd pretty soon figure out how to prevent their employees speeding (or at least getting caught)

        • If Google was fined $1,000,000 every time one of their employees gets caught speeding, they'd pretty soon figure out how to prevent their employees speeding (or at least getting caught)

          On the other hand, Microsoft and Apple would hand over a bit of cash to 100 or so drivers, and next day Google would be bankrupt.

      • by AmiMoJo (196126) *

        Fortunately companies are required to report their income from different parts of the business, so it wouldn't be hard for someone qualified to look at the accounts and say "10% of your shipbuilding related turnover".

        There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

        These fines are generally reserved for large, systematic failures. If the larger company was continually telling its drivers to speed, removing speed limiters from its vehicles and so forth a proportional fine would be in order. Otherwise it is ineffective and they could be in a position where

    • by 1s44c (552956)

      That's just bizarre. Regulatory agencies don't want to run companies, they want the companies to run themselves in a responsible way. They are not in the investing game and should never be put in a position where they have an incentive to favor one company over another.

      Cash should be used for fines, ideally that cash should not go to the organization that imposed the fine.

      • by eth1 (94901)

        That's just bizarre. Regulatory agencies don't want to run companies, they want the companies to run themselves in a responsible way. They are not in the investing game and should never be put in a position where they have an incentive to favor one company over another.

        Of course they don't - and probably wouldn't. The point is that the fact that they *could* should scare the shit out of the board and shareholders, so that they don't have to.

  • by Anonymous Coward

    This is not the largest fine for data breaches imposed by the ICO.

    The largest went to Brighton and Hove NHS hospitals, after they contracted with a data destruction firm to destroy hard drives used by the HIV clinic. A staff member of the destruction contractor stole the drives and forged a destruction certificate, before selling the drives on eBay where they were picked up by a data recovery firm among other people.

    The hospital was fined £325k. It is not reported what happened to the data destructi

  • by ikaruga (2725453) on Thursday January 24, 2013 @01:25PM (#42681317)
    I kind of like sony, I have a Vita(not because of Sony but because it has reasonable third party support here in Japan, I really enjoy the library so far) and a Xperia phone(decent phone with great looks). But holy crap, their security setup pre-hacking was something a baby could build better. Considering the amount of DRM they put on their products, I would at least expect they take server side security and data encryption seriously. The PS3 took 5 years to get hacked, but the PSN goes down in a few days by a bunch of script kids? WTF!? $400000 is pocket money even for sony, the penalties should be much harsher so that sony doesn't not ever decide to commit the same mistake ever again but also to scare other lazy companies in to upgrading their cloud services.
    • It probably cost them less in fines that it would have to actually have the network running over that time. Pointless...

    • by Gravatron (716477)
      It wasn't just script kiddies though. They, iirc, used hacked consoles, and amazon cloud servers, to force their way in to some area where they had access to psn user data. I'm not sure they ever released how, exactly, it was done though. Seeing as sony rebuilt their entire network, and has suffered no further PSN breached, i'd say they learned their lesson.
    • Sony lost plenty of money when the store was down. Disk based games didn't sell because people wanted to play multiplayer. Consoles didn't sell because of the bad press. DLC and PSN games didn't sell because the store was down. After it came back up many people removed their credit card info and stopped buying DLC and PSN games.
  • It's a PR slap, the money is irrelevant, it's what could be done, and i wish we would do more of that at here in the US.
    Alot of sensitive information was let out into the open, and i was affected in that i had to get a new card. Not a problem. Then it happened again.
    So i get another new card, and i now have a fancy blu-ray player, completely isolated and not connected, not subscribing to or buying anything. Not a problem.
  • ...I still can't figure out what grounds Sony could possibly have for an appeal.

    They "Strongly disagree" with the ruling. I suppose it's in their best interests to disagree, but based on the publicly known information about this hack, how could they possibly hope to succeed in overturning this ruling?

FORTH IF HONK THEN

Working...