140°
Submitted by doctorstrange 534d ago | news

ICO Details PSN Hack Fine: "The Data Controller Knew, or Ought to Have Known, That There was a Risk"

The legal document provided by ICO is heavily redacted, but list failings by the data controller as reasons for the fine’s severity, such as not using the latest security measures. “The data controller knew, or ought to have known, that there was a risk that the contravention would occur unless reasonable steps were taken”. Additionally, ICO complain that, because of Anonymous’ DDoS attacks prior to the hack, Sony should have taken steps to beef up security measures – although, in their defense, Anonymous had no plans to hack the PSN and openly said as much, but Sony certainly should have prepared.
-PSLS (PS3, PSP, Sony)

doctorstrange  +   534d ago
Worrying if true, but I think Sony were too busy concentrating on the DDoS attacks to focus on the PSN side at the time
nukeitall  +   534d ago
The DDoS should have tipped them off, but Sony got off easy in my opinion considering (which the article conveniently left off):

"The Information Commissioner’s Office said that Sony’s SECURITY SOFTWARE WAS NOT UP TO DATE, and that the HACK COULD HAVE BEEN PREVENTED."

"The ICO also said, in their report, that user passwords were not secure, and that names, addresses, dates of birth and payment card information could have been at risk."

"The ICO said that the SECURITY LAPSE was the “MOST SERIOUS IT HAS EVER SEEN,” and “there’s no disguising that this is a business that should have known better.”"

Note the, MOST SERIOUS THE ICO HAD EVER SEEN!

Lack of security updates? Everybody in the security world knows that you apply security updates as soon as possible, especially "security software"! It's akin to running your virus scanner with old virus definitions i.e. false security!

http://n4g.com/news/1160438...
#1.1 (Edited 534d ago ) | Agree(10) | Disagree(4) | Report | Reply
Ezz2013  +   534d ago
they were tryng to hack into ICO
to know when they will launch TLG
Good_Guy_Jamal  +   534d ago
I knew one day team ICO would turn against SONY! (joke)
darkride66  +   534d ago
Odd. Citigroup was hacked at the exact same time and millions were stolen from their customers even though they didn't admit it for months. To my knowledge no one reported losing one cent due to the PSN hack and the regulators admitted "there is no evidence that the encrypted payment card details were accessed", which would on it's surface seem to indicate that Sony's security measures protected customer info. Yet I can't seem to find any news regarding Citigroup's fine despite the actual theft.

I'm sure that fine's coming though. Even though the media pretty much ignored the theft of millions at the time to howl because encrypted PSN data made it into the hands of hackers, I'm sure the regulators still have to address fines for lax security for Citigroup that resulted in the actual theft of money. Right?

And does anyone even remember hearing when Sega was hacked a couple of months after Sony and data from 1.3 million customers was stolen related to "Sega Pass"? Much like Sony, there was no evidence there that credit card information was taken either. Odd, I don't remember that being a big deal either.

While I understand the need to keep company's on their toes, does it not seem like for some reason the media has been fixated on Sony over this? You'd think the actual theft of millions would be bigger news, but it was almost completely ignored. And why is there never any focus on the criminals who perpetrated these crimes? If a bank is robbed, we hear about the manhunt for the robbers, or if they have no idea who the robbers were a plea to the public for help. You never hear about the bank getting fined because it's door had a slightly out of date lock on the front.

It's interesting to see how the media treats crimes differently. A bank is robbed and the criminals are responsible. A company is hacked and it's the company who is scrutinized by the media. Again, I think regulators should have a look in cases like these to make sure our information is being safeguarded by the companies we entrust the info to. I just find it questionable how the media prioritizes when it chooses to report these incidents.
nukeitall  +   534d ago
@darkride66:

That is a nice spin on it as usual. However, this is negligence, not the fact that "Sony was hacked".

Sony failed to put adequate measures in place to protect the sensitive data they were collecting. You should be happy somebody is doing this considering, this company didn't care to protect your data at all by:

a) not encrypting user password

b) using out of data security software

These are things that are standard for even small blogging sites, let alone a technology company that has put a lot more effort into protecting their own assets with the security against piracy on PS3.

"You never hear about the bank getting fined because it's door had a slightly out of date lock on the front."

No, they have a security guard in front and massive security in place. These other financial companies getting hacked probably had proper security measures in place.

You don't blame the company (or bank) for getting hacked (robbed), but you do blame them if they didn't take proper security measures like Sony.

It is irresponsible and negligent of Sony, and it is even more irresponsible of consumers to accept such behavior. It doesn't matter if is MS, Nintendo or any other company.

It is even worse when a consumer twist the thing around to protect a mega corporation in the wrong!

"Yet I can't seem to find any news regarding Citigroup's fine despite the actual theft."

In case you didn't know, that theft goes out of citicards pocket. Credit card fraud is a cost the credit card company pays. There is no fine, probably because they had proper security measures.

Again, it is NOT the hack that is fined, it is the lackadaisical security Sony employed.
#1.3.1 (Edited 534d ago ) | Agree(1) | Disagree(4) | Report
darkride66  +   534d ago
We'll see how this goes on appeal. A number of courts already threw out cases against Sony finding that their security measures were in keeping with industry standards and that Sony was not responsible or negligent, nor did their actions lead to the breach.

A judge ruled in the US already that Sony wasn't responsible. When he dismissed the case, the judge commented "There is no such thing as perfect security. We cannot ensure or warrant the security of any information transmitted to us." He also said it's clear in Sony's customer agreement that "Sony's security was not 'perfect,'" and "no reasonable consumer could have been deceived." Also is the fact that no one has stepped forward and made a claim of damages against Sony.

I imagine this will be overturned on appeal based if the previous court decisions worldwide are anything to go by. As the judge ruled previously, PSN's a free service and makes no claims to have impenetrable security. It's not like they were negligent or weren't using any security whatsoever.

If users don't like it, no one is holding a gun to their heads and forcing them to sign up. I have personal information on a number of sites and I don't expect those sites to be hack proof. I expect them to take reasonable measures to safeguard my information but the risk I take with my information online is my decision to make. If it weren't for Sony's honesty, we wouldn't even known that anything had happened, and their actions to protect consumers after the hack went above and beyond in my opinion.

As for Citibank, personal and financial information leaked and millions were stolen as a result. I don't care if Citibank ultimately has to cover it, this hack lead to an actual theft. The money to pay for this wasn't just conjured out of thin air. Someone, somewhere had to pay for it. A crime was committed and real world assets, in this case money, was legitimately stolen and has to be made up for while someone is off spending the ill-gotten gains. Obviously this is far worse than a case where no actual theft to customers took place.

If anything, the fact that the financial information was encrypted says that Sony DID have adequate security measures because even though hackers breached the system, they couldn't use anything they stole. Real monetary theft is obviously more serious than this case were financial data was still encrypted and not at any serious risk. Certainly you can recognize the difference, yet even though they happened at the same time, one case was widely reported, the other was ignored.

We'll see what happens on appeal. I'm curious to see where these guidelines are for internet security that Sony somehow breached that the ICO is basing this decision on.
iamnsuperman  +   534d ago
"ICO admits that “there is no evidence that the encrypted payment card details were accessed” and says they have received no complaints or reports of harm from the personal data lost and don’t think it was used by the hackers. "

Then I am unsure how they can fine and says what they said. I mean they admit themselves there is no evidence of details stolen. Also the fine is only half a million

If I was Sony I would appeal. I am not sure how ICO can say details were compromised if they admit there is no evidence to support this
doctorstrange  +   534d ago
I think they're more upset that stuff could have potentially been compromised, even if it wasn't. But yeah, it seems a little harsh.

And I think Sony has already paid their dues, this was costly for them to say the least.
rainslacker  +   534d ago
I agree...I think too much was left out about what they were being fined for. It sounds like they were getting a DDoS attack and then got fined because they didn't take extra measures. OTOH, it's not unusual for big business to get those kinds of attacks often. On top of that they even admitted that it was a criminal attack.

While I think Sony should have had more security, the truth is, everything is hackable.
#2.2 (Edited 534d ago ) | Agree(4) | Disagree(3) | Report | Reply
iamnsuperman  +   534d ago
"While I think Sony should have had more security, the truth is, everything is hackable."

I agree it just takes time. It wasn't too long ago that a British guy (named Gary McKinnon) hacked into the Pentagon (one of the most secure places online). It doesn't matter how much you pay. Things can get hacked which is really worrying since everything is now online
nukeitall  +   534d ago
The problem isn't that Sony where hacked.

It was the fact that Sony:

a) didn't apply updates to their security software (in fact, it was the biggest lapse the ICO had ever seen).

b) user password were not encrypted

Those are *standard practices* that even amateur sites do to protect their users. This is common knowledge and really highlight the serious of the matter. In fact, most free software does this for you automatically. It's mind boggling that Sony doesn't do this.

See my post above.

Makes you wonder what security Sony had in place at all?

@iamnsuperman:

""While I think Sony should have had more security, the truth is, everything is hackable." "

Yes, but that is not an excuse for negligence and not doing *simple* standard security practices.

There is one thing that a network was attempted properly secured, and another when it is just thrown together ignoring security.

On the flip side, Sony is pretty darn good with the DRM and restrictions they put on the PS3!
#2.2.2 (Edited 534d ago ) | Agree(8) | Disagree(3) | Report
supremacy  +   534d ago
If i weren't typing this from my vita, i would have provided you with a link. But Sony is already appealing this case on the same basis you mentioned just now.

Sony said in a statement pretty much what you just stated and are planning to appeal.

Personally i feel this is old news. Heck i thought we were through with this. I am sure Sony will be okay when all is said and done and get back to reporting that profit they are suppose to report sometime this year.
LocutusEstBorg  +   534d ago
Probably outsourced to India. They never read the code and had no idea it was garbage.
#3 (Edited 534d ago ) | Agree(3) | Disagree(2) | Report | Reply
from the beach  +   534d ago
Good to see action over this. Hopefully it sends a clear message that any risk to security details is totally unacceptable!
doctorstrange  +   534d ago
But the message was already sent - Sony lost millions and suffered terrible PR. This seems overkill.
knifefight  +   534d ago
I thought this was going to be about ICO the game, like as in, the one by the guys that did Shadow of the Colossus. :(
Flatbattery  +   534d ago
Can we hear about all the other companies (gaming related or otherwise) that have been fined for actually losing customer information through their servers? Didn't think so, not newsworthy enough huh?
HiddenMission  +   534d ago
We do hear about them it's just that everyone even ICO have it up the rear to go after Sony. I know several other big name companies even credit card companies news reports about being hacked. These have made it up on here with way worse data breaches but no one cares...why because it's not Sony.
ziggurcat  +   534d ago
sony doom patrol drudging up this old, dead horse, eh?

they must be desperate to pull anything out of their ***es so close to a possible announcement of the next playstation.
#7 (Edited 534d ago ) | Agree(0) | Disagree(1) | Report | Reply

Add comment

You need to be registered to add comments. Register here or login
Remember
New stories
30°

Light Review | Hardcore Gamer

43m ago - Light feels like as if it is taking place inside the map radar HUD of Metal Gear Solid. So in ess... | PC
20°

New Scribblenauts Unmasked Toys Announced

1h ago - DC Collectibles, a division of DC Comics, have announced the fifth and sixth series of action fig... | Culture
10°

Transworld Endless Skater Cheats And Tips

1h ago - Robert Workman (Modojo): Remember the PlayStation era, when you built combos and met scoring chal... | iPhone
30°

Pre-Sale for Dead Space 3 Isaac Clarke Statue Announced

1h ago - Threezero have announced that the pre-sale for their Dead Space 3 Isaac Clarke statue — which has... | Culture
Ad

Start Making Games for the PS4

Now - Want to design the next generation of video games? Start learning game design today. Click for more info on how to get started. | Promoted post
40°

Harrowing Valve Resignation Letter Leaked

1h ago - Hardcore Gamer: Fabian Giesen, a contractor who had been working on Valve's virtual reality team,... | Tech