Try our new beta!Click here
Submitted by doctorstrange 1112d ago | news

ICO Details PSN Hack Fine: "The Data Controller Knew, or Ought to Have Known, That There was a Risk"

The legal document provided by ICO is heavily redacted, but list failings by the data controller as reasons for the fine’s severity, such as not using the latest security measures. “The data controller knew, or ought to have known, that there was a risk that the contravention would occur unless reasonable steps were taken”. Additionally, ICO complain that, because of Anonymous’ DDoS attacks prior to the hack, Sony should have taken steps to beef up security measures – although, in their defense, Anonymous had no plans to hack the PSN and openly said as much, but Sony certainly should have prepared.
-PSLS (PS3, PSP, Sony)

doctorstrange  +   1112d ago
Worrying if true, but I think Sony were too busy concentrating on the DDoS attacks to focus on the PSN side at the time
nukeitall  +   1112d ago
The DDoS should have tipped them off, but Sony got off easy in my opinion considering (which the article conveniently left off):

"The Information Commissioner’s Office said that Sony’s SECURITY SOFTWARE WAS NOT UP TO DATE, and that the HACK COULD HAVE BEEN PREVENTED."

"The ICO also said, in their report, that user passwords were not secure, and that names, addresses, dates of birth and payment card information could have been at risk."

"The ICO said that the SECURITY LAPSE was the “MOST SERIOUS IT HAS EVER SEEN,” and “there’s no disguising that this is a business that should have known better.”"


Lack of security updates? Everybody in the security world knows that you apply security updates as soon as possible, especially "security software"! It's akin to running your virus scanner with old virus definitions i.e. false security!
#1.1 (Edited 1112d ago ) | Agree(10) | Disagree(4) | Report | Reply
Ezz2013  +   1112d ago
they were tryng to hack into ICO
to know when they will launch TLG
Good_Guy_Jamal  +   1112d ago
I knew one day team ICO would turn against SONY! (joke)
Anon1974  +   1111d ago
Odd. Citigroup was hacked at the exact same time and millions were stolen from their customers even though they didn't admit it for months. To my knowledge no one reported losing one cent due to the PSN hack and the regulators admitted "there is no evidence that the encrypted payment card details were accessed", which would on it's surface seem to indicate that Sony's security measures protected customer info. Yet I can't seem to find any news regarding Citigroup's fine despite the actual theft.

I'm sure that fine's coming though. Even though the media pretty much ignored the theft of millions at the time to howl because encrypted PSN data made it into the hands of hackers, I'm sure the regulators still have to address fines for lax security for Citigroup that resulted in the actual theft of money. Right?

And does anyone even remember hearing when Sega was hacked a couple of months after Sony and data from 1.3 million customers was stolen related to "Sega Pass"? Much like Sony, there was no evidence there that credit card information was taken either. Odd, I don't remember that being a big deal either.

While I understand the need to keep company's on their toes, does it not seem like for some reason the media has been fixated on Sony over this? You'd think the actual theft of millions would be bigger news, but it was almost completely ignored. And why is there never any focus on the criminals who perpetrated these crimes? If a bank is robbed, we hear about the manhunt for the robbers, or if they have no idea who the robbers were a plea to the public for help. You never hear about the bank getting fined because it's door had a slightly out of date lock on the front.

It's interesting to see how the media treats crimes differently. A bank is robbed and the criminals are responsible. A company is hacked and it's the company who is scrutinized by the media. Again, I think regulators should have a look in cases like these to make sure our information is being safeguarded by the companies we entrust the info to. I just find it questionable how the media prioritizes when it chooses to report these incidents.
nukeitall  +   1111d ago

That is a nice spin on it as usual. However, this is negligence, not the fact that "Sony was hacked".

Sony failed to put adequate measures in place to protect the sensitive data they were collecting. You should be happy somebody is doing this considering, this company didn't care to protect your data at all by:

a) not encrypting user password

b) using out of data security software

These are things that are standard for even small blogging sites, let alone a technology company that has put a lot more effort into protecting their own assets with the security against piracy on PS3.

"You never hear about the bank getting fined because it's door had a slightly out of date lock on the front."

No, they have a security guard in front and massive security in place. These other financial companies getting hacked probably had proper security measures in place.

You don't blame the company (or bank) for getting hacked (robbed), but you do blame them if they didn't take proper security measures like Sony.

It is irresponsible and negligent of Sony, and it is even more irresponsible of consumers to accept such behavior. It doesn't matter if is MS, Nintendo or any other company.

It is even worse when a consumer twist the thing around to protect a mega corporation in the wrong!

"Yet I can't seem to find any news regarding Citigroup's fine despite the actual theft."

In case you didn't know, that theft goes out of citicards pocket. Credit card fraud is a cost the credit card company pays. There is no fine, probably because they had proper security measures.

Again, it is NOT the hack that is fined, it is the lackadaisical security Sony employed.
#1.3.1 (Edited 1111d ago ) | Agree(1) | Disagree(4) | Report
Anon1974  +   1111d ago
We'll see how this goes on appeal. A number of courts already threw out cases against Sony finding that their security measures were in keeping with industry standards and that Sony was not responsible or negligent, nor did their actions lead to the breach.

A judge ruled in the US already that Sony wasn't responsible. When he dismissed the case, the judge commented "There is no such thing as perfect security. We cannot ensure or warrant the security of any information transmitted to us." He also said it's clear in Sony's customer agreement that "Sony's security was not 'perfect,'" and "no reasonable consumer could have been deceived." Also is the fact that no one has stepped forward and made a claim of damages against Sony.

I imagine this will be overturned on appeal based if the previous court decisions worldwide are anything to go by. As the judge ruled previously, PSN's a free service and makes no claims to have impenetrable security. It's not like they were negligent or weren't using any security whatsoever.

If users don't like it, no one is holding a gun to their heads and forcing them to sign up. I have personal information on a number of sites and I don't expect those sites to be hack proof. I expect them to take reasonable measures to safeguard my information but the risk I take with my information online is my decision to make. If it weren't for Sony's honesty, we wouldn't even known that anything had happened, and their actions to protect consumers after the hack went above and beyond in my opinion.

As for Citibank, personal and financial information leaked and millions were stolen as a result. I don't care if Citibank ultimately has to cover it, this hack lead to an actual theft. The money to pay for this wasn't just conjured out of thin air. Someone, somewhere had to pay for it. A crime was committed and real world assets, in this case money, was legitimately stolen and has to be made up for while someone is off spending the ill-gotten gains. Obviously this is far worse than a case where no actual theft to customers took place.

If anything, the fact that the financial information was encrypted says that Sony DID have adequate security measures because even though hackers breached the system, they couldn't use anything they stole. Real monetary theft is obviously more serious than this case were financial data was still encrypted and not at any serious risk. Certainly you can recognize the difference, yet even though they happened at the same time, one case was widely reported, the other was ignored.

We'll see what happens on appeal. I'm curious to see where these guidelines are for internet security that Sony somehow breached that the ICO is basing this decision on.
iamnsuperman  +   1112d ago
"ICO admits that “there is no evidence that the encrypted payment card details were accessed” and says they have received no complaints or reports of harm from the personal data lost and don’t think it was used by the hackers. "

Then I am unsure how they can fine and says what they said. I mean they admit themselves there is no evidence of details stolen. Also the fine is only half a million

If I was Sony I would appeal. I am not sure how ICO can say details were compromised if they admit there is no evidence to support this
doctorstrange  +   1112d ago
I think they're more upset that stuff could have potentially been compromised, even if it wasn't. But yeah, it seems a little harsh.

And I think Sony has already paid their dues, this was costly for them to say the least.
rainslacker  +   1112d ago
I agree...I think too much was left out about what they were being fined for. It sounds like they were getting a DDoS attack and then got fined because they didn't take extra measures. OTOH, it's not unusual for big business to get those kinds of attacks often. On top of that they even admitted that it was a criminal attack.

While I think Sony should have had more security, the truth is, everything is hackable.
#2.2 (Edited 1112d ago ) | Agree(4) | Disagree(3) | Report | Reply
iamnsuperman  +   1112d ago
"While I think Sony should have had more security, the truth is, everything is hackable."

I agree it just takes time. It wasn't too long ago that a British guy (named Gary McKinnon) hacked into the Pentagon (one of the most secure places online). It doesn't matter how much you pay. Things can get hacked which is really worrying since everything is now online
nukeitall  +   1112d ago
The problem isn't that Sony where hacked.

It was the fact that Sony:

a) didn't apply updates to their security software (in fact, it was the biggest lapse the ICO had ever seen).

b) user password were not encrypted

Those are *standard practices* that even amateur sites do to protect their users. This is common knowledge and really highlight the serious of the matter. In fact, most free software does this for you automatically. It's mind boggling that Sony doesn't do this.

See my post above.

Makes you wonder what security Sony had in place at all?


""While I think Sony should have had more security, the truth is, everything is hackable." "

Yes, but that is not an excuse for negligence and not doing *simple* standard security practices.

There is one thing that a network was attempted properly secured, and another when it is just thrown together ignoring security.

On the flip side, Sony is pretty darn good with the DRM and restrictions they put on the PS3!
#2.2.2 (Edited 1112d ago ) | Agree(8) | Disagree(3) | Report
supremacy  +   1112d ago
If i weren't typing this from my vita, i would have provided you with a link. But Sony is already appealing this case on the same basis you mentioned just now.

Sony said in a statement pretty much what you just stated and are planning to appeal.

Personally i feel this is old news. Heck i thought we were through with this. I am sure Sony will be okay when all is said and done and get back to reporting that profit they are suppose to report sometime this year.
LocutusEstBorg  +   1112d ago
Probably outsourced to India. They never read the code and had no idea it was garbage.
#3 (Edited 1112d ago ) | Agree(3) | Disagree(2) | Report | Reply
from the beach  +   1112d ago
Good to see action over this. Hopefully it sends a clear message that any risk to security details is totally unacceptable!
doctorstrange  +   1112d ago
But the message was already sent - Sony lost millions and suffered terrible PR. This seems overkill.
knifefight  +   1112d ago
I thought this was going to be about ICO the game, like as in, the one by the guys that did Shadow of the Colossus. :(
Flatbattery  +   1112d ago
Can we hear about all the other companies (gaming related or otherwise) that have been fined for actually losing customer information through their servers? Didn't think so, not newsworthy enough huh?
HiddenMission  +   1112d ago
We do hear about them it's just that everyone even ICO have it up the rear to go after Sony. I know several other big name companies even credit card companies news reports about being hacked. These have made it up on here with way worse data breaches but no one cares...why because it's not Sony.
ziggurcat  +   1111d ago
sony doom patrol drudging up this old, dead horse, eh?

they must be desperate to pull anything out of their ***es so close to a possible announcement of the next playstation.
#7 (Edited 1111d ago ) | Agree(0) | Disagree(1) | Report | Reply

Add comment

You need to be registered to add comments. Register here or login
New stories

Meet Star Kart, A Mario Kart Star Wars Mashup That Warrants an Actual Video Game

20m ago - EB: As promised the Dark Pixel YouTube channel has released its Star Kart CGI gaming video, which... | Culture

Dev Steampunk Wizards announce 4th mobile game in 3 months

21m ago - Mobile games developer Steampunk Wizards releases, Neon Gliders, their fourth iOS/Android game in... | iPhone

Guess N4G Game of the Year Winners, win a $300 Amazon Gift Card

Now - Also enter for a chance to win a gift card for writing a user blog, writing a user review, or being a top contributor for the month. | Promoted post

Most Addictive iPhone Games Of 2016

22m ago - Looking for some great games to keep you busy for a while? These are the games that you need on y... | iPhone

Vote For The Final Fantasy Girl You Want A Valentine’s Gift From

25m ago - Square Enix and DeNA are asking players of Final Fantasy Record Keeper to vote on a “Valentine’s... | Culture

Review: Mega Man Battle Network 6: Cybeast Falzar / Gregar | Nintendo Life

31m ago - NL: By now you should really know what to expect from the Battle Network games. Battle Network 6... | Wii U