Sony fined £250,000 for April 2011 security breach


January 27, 2013

It's no secret that the ramifications for an organisation that has been impacted by a cyber security breach can be far reaching, both in terms of reputational damage and financial impact.

This is a big part of the reason why regular security audit and penetration testing evaluations are so important towards ensuring that the private information of customers and employees is secure at all times.

The potential consequences of poor vulnerability management were again highlighted this week in the UK, where the Information Commissioner’s Office (ICO) has fined Sony Computer Entertainment Europe Limited a monetary penalty of £250,000 (AUS$377,125) for a high profile security breach that occurred in April 2011.

The incident saw the personal information – including names, addresses and passwords – of millions of Sony customers from countries including Australia and New Zealand compromised after out-of-date software allowed hackers to gain access to a secure network platform.

In handing down the penalty, ICO deputy commissioner and director of data protection David Smith said that Sony had failed to adequately protect the personal information of its customers through security measures that "were simply not good enough".

"There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe," said Mr Smith in a statement issued January 24.

Fortunately it seems that the compromised user data has not been used for fraudulent purposes, and no complaints have been received to date according to the official ICO monetary penalty notice.

Nonetheless, the incident serves as a stark reminder of the obligation that organisations have towards their customers to take all necessary actions to ensure that private and potentially exploitable information is as safe and secure as possible.

Mr Smith noted that while the penalty handed down to Sony was "clearly substantial", the ICO believes it is suitable considering the size and nature of the incident.

"The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft," said Mr Smith.

Sony has until 5PM on February 13 2013 to appeal the penalty, should it wish to do so.

Leave a Reply

Your email address will not be published. Required fields are marked *