Sony Fined In UK For PlayStation Network Hack

Sockatume writes "The UK's information protection authority, the ICO, has fined Sony for failing to adequately secure the information of PlayStation Network users. The investigation was triggered by a 2011 security breach, during which personally identifying information (including password hashes) was recovered from a Sony database where it had been stored without encryption. In the ICO's view Sony's security measures were inadequate, and the attack could have been prevented. The £250,000 (ca. $400,000) fine, the largest the ICO has ever imposed, is equivalent to a few pennies per affected user. Sony disagrees with the ICO's decision and intends to appeal."

Re:

[g0bshiTe]

Not really bleak when you consider that energy is neither created nor exhausted only converted. I for one welcome our future poop overlords.

Appeal? Really?

[Anonymous Coward]

Encryption's been here for -how long-? As a standard, over a decade before you were hacked; I think more like a decade and a half. And you have a high profile. And you store credit card information.

Eat it.

Re:

[Derekloffin]

The credit card info was encrypted. Passwords were hashed. The personal info was the bit unencrypted but that's not exactly uncommon (even Valve doesn't encrypt that as their breach revealed).

Re:

[Jane Q. Public]

"Encryption's been here for -how long-?"

As the other poster stated: this information was NOT stored in plaintext. Passwords were hashed. Sony's statement tries to make an artificial distinction between encryption and hashing (perhaps to justify their earlier statement?) but the fact is that hashing is encryption. Just a particular form of it.

Re:

[Jane Q. Public]

"Nope. Wrong. Hashing is not AT ALL like encryption."

Sorry, but you are wrong. Hashing IS a form of encryption.

You, too, try to make an artificial distinction between what YOU call "good encryption" and other forms, which -- despite your protests to the contrary -- are still encryption.

Encryption is merely an algorithmic means to hide information. That is all. Some methods are better than others; and some are more suitable for particular tasks than others.

Further, encryption does not have to work both ways. Getting your information back is decryption

Re:

[Jane Q. Public]

"I see people making this type of confusion every day in my job when I review security policies and architectures."

I can play the Wikipedia game too. [wikipedia.org] As Wikipedia says: "Ciphertext indistinguishability is a property of many encryption schemes." It does NOT say it is a requirement in order to qualify as "encryption". It's merely a feature common to MANY styles of encryption. For a given purpose, there exist good forms of encryption and bad forms of encryption. But they are all still encryption.

One-way hash function are a form of encryption, and a properly-hashed plaintext is commonly (and rightfully) said to be "encr

My god!

[serviscope_minor]

GBP 250,000

That's a lot of money. I'm sure a multibillion sized corporation will really sit up and take notice. If they keep on doing that, say several hunded thousand times per year it might even affect their bottom line.

Re:

[1s44c]

The money might mean nothing to Sony but the embarrassment must.

But if your point is that it's silly to fine a massive company so little then I totally agree.

Re:

[zandeez]

It is a pitiful amount considering the severity of the breech. However it's the maximum fine for such a breech allowed under UK law, which also speaks volumes.

Re:

[SuricouRaven]

I used to think it'd be a good idea to define all fines not in absolutes, but percentages of income (individuals) or profits (corporations). Then I realised that many mega-corps don't actually have much in the way of profits on paper, for tax purposes.

Re:

[Merls the Sneaky]

Define it as a percentage of total worth for corporations?

Re:

[SuricouRaven]

You'd just see similar issues with manipulating the numbers. Easy enough for a corporate giant to simply contract out most operations to smaller 'independant' companies for a token fee, acting as essentially subdivisions but with a clear legal distinction. Thus the fine would be applied only to a very small sub-company, rather than the giant owner.

Re:

[mpe]

Easy enough for a corporate giant to simply contract out most operations to smaller 'independant' companies for a token fee, acting as essentially subdivisions but with a clear legal distinction.

They might have such a system already in place for tax avoidance too.

Re:

[SuricouRaven]

The classic offshore subsiduary. Good for all manner of legal evasions, as well as legitimate business purposes.

Re:

[Dale512]

Make it a percentage of executive pay.

Re:

[aztracker1]

A lot of executive compensation is in stock options, and not worth much without exercising those options.

Re:

[ConfusedVorlon]

EU anti-competition regulators can fine up to 10% of worldwide turnover.

http://en.wikipedia.org/wiki/European_Union_competition_law#Enforcement [wikipedia.org]

Re:

[greg1104]

You have to make the fine based on the gross sales of the associated product. If this were even 1% of all PS3 and Playstation Store sales, it would be a real fine. Anything else is trivially gamed to zero, the same way taxes are.

Re:

[SuricouRaven]

I considered that too. But that isn't fair - such a fine would be far more serious for a low-margin high-volume company than a high-margin low-volume company.

Re:

[martinmarv]

No, it's not the maximum fine under UK law - that's £500K. See http://www.theregister.co.uk/2010/04/05/ico_power_analysis/ [theregister.co.uk]

The summary isn't even about it being the highest fine imposed so far by the ICO for a breach of the Data Protection Act. There was a £325K fine imposed on an NHS trust. See http://www.ico.gov.uk/news/latest_news/2012/nhs-trust-fined-325000-following-data-breach-affecting-thousands-of-patients-and-staff-01062012.aspx [ico.gov.uk]

Re:

[jonbryce]

It's the largest fine ever given to a private company, but not the maximum fine allowed by the law. Some local authorities have had larger fines.

Re:

[tlhIngan]

The money might mean nothing to Sony but the embarrassment must.

It's an important point as it brings the whole breach back into light. And if Sony decides to fight it, they run a very real risk that some decision would come out during E3 and the reveal of the PS4.

Now how do you think that would go over - Sony reveals the PS4 with online this and online that, followed by a headline about Sony's online service security breach? To most people, that won't inspire much confidence in Sony's online offerings - aft

Re:

[Gravatron]

No one, outside the anti-sony fanboys, really cared the first time, seeing as most psn users came right back as soon as the system relaunched. Sony was, for most, seen as the victim of the attack, along with it's users, with the blame rightfully falling on the criminals who preformed it. It's not like sony leaked the information, someone broke in and stole it.

Re:

[Anonymous Coward]

The money might mean nothing to Sony but the embarrassment must.

It must? Has it yet?

No, seriously, go out in the real world, away from the ubergeek nerd communities and wannabe-freedom-fighters, and ask PS3 owners if they even remember anything about the Sony data breach. Ask them if they even heard about it in the first place while they're drooling over the next God of War or Metal Gear Semipermeable: REVENGENCEFUL. Go ask people who watch movies produced by one of Sony's labels, or listen to albums by similar. See how much the "embarrassment" hurt Sony.

Then once y

Re:

[1s44c]

Hey! I never said Sony would die of embarrassment or that this fine would cause them massive additional loss of face.

I only said the damage done by the bad press must be greater than the rather small fine. A few people would have noticed, a few people who might otherwise buy Sony products might just go buy something else.

fine nothing compared to lost sales

[ZombieBraintrust]

Fine a drop in the bucket compared to the PSN store being down for several weeks. Games released when PSN down also did not sell well. They also purchased credit card theft insurance for all their users who had credit card info on PSN. They also had to give out free games to get people to bring back good will from users. So even without fine the market punished Sony quite a bit.

Re:

[RoknrolZombie]

I doubt it...they seemed to recover rather quickly from the fallout from their rootkits...

Re:

[AmiMoJo]

There is talk of increasing the limit to a percentage of the company's global profits.

The real scandal is that Sony has not had to compensate those affected. At least people in the US got some free identity protection, we got bugger all.

Re:

[Anonymous Coward]

The ICO isn't a court of law, it doesn't haven't unlimited power, or the power to issue unlimited fines - and that's a good thing, since it prevents the ICO becoming abusive in its practices.

That said, an ICO decision does not stop affected users from pursuing private claims against Sony, and anyone pursuing a private claim can point at this decision, so the actual costs of the decision could be much higher than the immediate fine. There's also the loss of trade avenue to consider - people who now won't do

Re:

[hawkinspeter]

As much as I hate to defend Microsoft, have they every lost loads of customer information from their own network? If someone chooses to use a Microsoft product that isn't secure, then that's their own problem and their fault for choosing an insecure product or not running firewalls/IDS etc.

Re:

[Anonymous Coward]

You can do a lot of security work for £250,000. It doesn't matter that the fine doesn't cripple them, just to make slack security practices more costly than doing the right thing. No company becomes a multibillion dollars by thinking that £250k is worth the effort of bothering to do anything about.

Good ...

[gstoddart]

If companies start to realize they're legally on the hook for data security maybe they'll start trying harder.

So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

Re:Good ...

[1s44c]

So many of these security stories sound like they had a co-op student do it in an afternoon with no consideration for anything other than getting it done quickly.

From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

Not that I'm saying it's just security people that get squeezed into doing a bad job when they really want to do a good one. It happens a lot.

Re:

[am 2k]

From what I've seen most companies get a qualified, experienced, and smart person who really wants to do a great job to secure these things. Then they demand it's done in a week. Then they demand that for each day in that week that person must attend 6 hours of meetings. Then they make it very clear that security must never affect functionality.

Well, that still does the job it's supposed to: If something happens, the manager is not to blame, because he's the one who hired the security guy.

Re:

[malignant_minded]

I don't know is this a good thing? What about small companies that just want to sell something? There are ways of pushing the compliance on someone else for a fee but perhaps what data is necessary for this stuff and a complete overhaul of our payment systems would be better. I am not saying companies should not be PCI compliant but credit card issuers should also be required to come up with something better.

Re:

[gstoddart]

I don't know is this a good thing? What about small companies that just want to sell something?

If you live in a place which has data protection laws like Europe, then you need to comply with them.

Incompetent isn't a reason to not be adhering to the data security laws in the first place. Neither is "too hard".

Re:

[malignant_minded]

So how many credit cards were compromised and how is this fine proportionate? How does this put a dent in a large corporation? All it does is eliminate smaller business. My point was that the means of purchasing something are insecure and that insecurity is passed on to the seller. That should be corrected. In fact it would probably be better if credit card companies had to deal with all this security themselves similar to how you can get redirected to Paypal for completing a transaction. So when your

Re:

[helix2301]

This was a major hack they got the site backup then next day went down again service was down for about 2 weeks if not more.

Irony

[deathtopaulw]

Does anyone else find it funny that they were disciplined by ICO [wikipedia.org], one of the few things Sony has ever gotten right?

Re:

[Anonymous Coward]

First thing i thought about as well when i read the acronym. :D

$400k? That's it?

[eth1]

I'm so sure that will get them to shape up right away...

Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

Re:$400k? That's it?

[gnasher719]

Maybe it's time to start enforcing corporate fines as a percentage of current market cap, payable by newly issued stock to the regulatory agencies. That would deflate the value of the existing stock, getting the shareholders to whip the company into line (hopefully). Also, too many repeat offenses would give the regulators increasing control over the company itself. After 5-10 years, allow the company to buy the stock back.

That's quite nonsensical since many big companies are in many different businesses. Take Samsung. They build ships. I assume that they are not better or worse than other companies building ships, so sometimes they will be fined. Except according to your plan, ten times more than other ship builders, because they are in many more businesses. Samsung also builds tractors. Again, I assume they are not better or worse than other companies building tractors, but if something goes wrong you want to fine them ten times more.

There are Google employees driving around in little cars taking photos of all kinds of places. Sometimes they are speeding. Do you think Google should pay a million dollar fine every time one of their cars gets caught speeding? There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

Re:

[saphena]

If you want to change behaviour using sticks rather than carrots you do need to use an appropriate stick. Hitting an elephant with a matchstick probably won't influence his behaviour much, hitting him with a telegraph pole might get his attention.

If Google was fined $1,000,000 every time one of their employees gets caught speeding, they'd pretty soon figure out how to prevent their employees speeding (or at least getting caught)

Re:

[gnasher719]

If Google was fined $1,000,000 every time one of their employees gets caught speeding, they'd pretty soon figure out how to prevent their employees speeding (or at least getting caught)

On the other hand, Microsoft and Apple would hand over a bit of cash to 100 or so drivers, and next day Google would be bankrupt.

Re:

[AmiMoJo]

Fortunately companies are required to report their income from different parts of the business, so it wouldn't be hard for someone qualified to look at the accounts and say "10% of your shipbuilding related turnover".

There's a truck company owning 3 trucks. And another one owning 3,000. Statistically, the one with 3,000 trucks will get 1000 times more speeding tickets, parking tickets, and so on. Do you think they should pay 1,000 times more per ticket because they are bigger?

These fines are generally reserved for large, systematic failures. If the larger company was continually telling its drivers to speed, removing speed limiters from its vehicles and so forth a proportional fine would be in order. Otherwise it is ineffective and they could be in a position where

Re:

[1s44c]

That's just bizarre. Regulatory agencies don't want to run companies, they want the companies to run themselves in a responsible way. They are not in the investing game and should never be put in a position where they have an incentive to favor one company over another.

Cash should be used for fines, ideally that cash should not go to the organization that imposed the fine.

Re:

[eth1]

That's just bizarre. Regulatory agencies don't want to run companies, they want the companies to run themselves in a responsible way. They are not in the investing game and should never be put in a position where they have an incentive to favor one company over another.

Of course they don't - and probably wouldn't. The point is that the fact that they *could* should scare the shit out of the board and shareholders, so that they don't have to.

Re:

[gl4ss]

maybe if every country sony operated in then it wouldn't..

Re:

[hawkinspeter]

Why blame Sony? How about storing personal details of customers unencrypted? Did any other of those organisation do something so stupid?

Re:

[Gravatron]

I'd wager more do then you think. Personal data by itself, minus a few select items, is not exactly confidential. I can easily look up much of your data with a phonebook after all. Stuff that was important, like CC info, was indeed encrypted, as is normal.

Re:

[Wamoc]

The reason Sony is being fined is because of how their security was implemented. The other companies had actual security in place. Sony's security was the equivalent of a sign on the data saying "Please don't take this". The ICO knows that no security is 100% safe, but expects companies to at least attempt to keep data safe (which Sony did not do in this case). Sony also had every single one of its divisions customer data hacked.

They also offered free identity protection to ALL OF THEIR CUSTOMERS, for free.

I never got an offer of free identity protection when my data was stolen. The e

Re:

[Sockatume]

I've got a very well-written response here but in order to stick to my rule of not feeding the trolls I'll just point out that your clearly don't know the facts of the case very well and your argument is laughably specious.

Re:

[TapeCutter]

Great post, pity everyone else is too busy dressing up as Guy Fawkes and throwing rocks to actually read it.

Not the largest fine

[Anonymous Coward]

This is not the largest fine for data breaches imposed by the ICO.

The largest went to Brighton and Hove NHS hospitals, after they contracted with a data destruction firm to destroy hard drives used by the HIV clinic. A staff member of the destruction contractor stole the drives and forged a destruction certificate, before selling the drives on eBay where they were picked up by a data recovery firm among other people.

The hospital was fined £325k. It is not reported what happened to the data destructi

Re:

[Sockatume]

My bad. It's the largest organisation to be fined that is not a local authority.

Fine not high enough

[ikaruga]

I kind of like sony, I have a Vita(not because of Sony but because it has reasonable third party support here in Japan, I really enjoy the library so far) and a Xperia phone(decent phone with great looks). But holy crap, their security setup pre-hacking was something a baby could build better. Considering the amount of DRM they put on their products, I would at least expect they take server side security and data encryption seriously. The PS3 took 5 years to get hacked, but the PSN goes down in a few days by a bunch of script kids? WTF!? $400000 is pocket money even for sony, the penalties should be much harsher so that sony doesn't not ever decide to commit the same mistake ever again but also to scare other lazy companies in to upgrading their cloud services.

Re:

[StoneyMahoney]

It probably cost them less in fines that it would have to actually have the network running over that time. Pointless...

Re:

[Gravatron]

It wasn't just script kiddies though. They, iirc, used hacked consoles, and amazon cloud servers, to force their way in to some area where they had access to psn user data. I'm not sure they ever released how, exactly, it was done though. Seeing as sony rebuilt their entire network, and has suffered no further PSN breached, i'd say they learned their lesson.

Lost sales dwarf fines

[ZombieBraintrust]

Sony lost plenty of money when the store was down. Disk based games didn't sell because people wanted to play multiplayer. Consoles didn't sell because of the bad press. DLC and PSN games didn't sell because the store was down. After it came back up many people removed their credit card info and stopped buying DLC and PSN games.

Not about money

[Flipstylee]

It's a PR slap, the money is irrelevant, it's what could be done, and i wish we would do more of that at here in the US.
Alot of sensitive information was let out into the open, and i was affected in that i had to get a new card. Not a problem. Then it happened again.
So i get another new card, and i now have a fancy blu-ray player, completely isolated and not connected, not subscribing to or buying anything. Not a problem.

And out of all this...

[thatbloke83]

...I still can't figure out what grounds Sony could possibly have for an appeal.

They "Strongly disagree" with the ruling. I suppose it's in their best interests to disagree, but based on the publicly known information about this hack, how could they possibly hope to succeed in overturning this ruling?