ICO Details PSN Hack Fine: "The Data Controller Knew, or Ought to Have Known, That There was a Risk"

The legal document provided by ICO is heavily redacted, but list failings by the data controller as reasons for the fine’s severity, such as not using the latest security measures. “The data controller knew, or ought to have known, that there was a risk that the contravention would occur unless reasonable steps were taken”. Additionally, ICO complain that, because of Anonymous’ DDoS attacks prior to the hack, Sony should have taken steps to beef up security measures – although, in their defense, Anonymous had no plans to hack the PSN and openly said as much, but Sony certainly should have prepared.

Read Full Story >>
The story is too old to be commented.
doctorstrange2833d ago

Worrying if true, but I think Sony were too busy concentrating on the DDoS attacks to focus on the PSN side at the time

nukeitall2833d ago (Edited 2833d ago )

The DDoS should have tipped them off, but Sony got off easy in my opinion considering (which the article conveniently left off):

"The Information Commissioner’s Office said that Sony’s SECURITY SOFTWARE WAS NOT UP TO DATE, and that the HACK COULD HAVE BEEN PREVENTED."

"The ICO also said, in their report, that user passwords were not secure, and that names, addresses, dates of birth and payment card information could have been at risk."

"The ICO said that the SECURITY LAPSE was the “MOST SERIOUS IT HAS EVER SEEN,” and “there’s no disguising that this is a business that should have known better.”"


Lack of security updates? Everybody in the security world knows that you apply security updates as soon as possible, especially "security software"! It's akin to running your virus scanner with old virus definitions i.e. false security!

Ezz20132832d ago

they were tryng to hack into ICO
to know when they will launch TLG

Good_Guy_Jamal2832d ago

I knew one day team ICO would turn against SONY! (joke)

Anon19742832d ago

Odd. Citigroup was hacked at the exact same time and millions were stolen from their customers even though they didn't admit it for months. To my knowledge no one reported losing one cent due to the PSN hack and the regulators admitted "there is no evidence that the encrypted payment card details were accessed", which would on it's surface seem to indicate that Sony's security measures protected customer info. Yet I can't seem to find any news regarding Citigroup's fine despite the actual theft.

I'm sure that fine's coming though. Even though the media pretty much ignored the theft of millions at the time to howl because encrypted PSN data made it into the hands of hackers, I'm sure the regulators still have to address fines for lax security for Citigroup that resulted in the actual theft of money. Right?

And does anyone even remember hearing when Sega was hacked a couple of months after Sony and data from 1.3 million customers was stolen related to "Sega Pass"? Much like Sony, there was no evidence there that credit card information was taken either. Odd, I don't remember that being a big deal either.

While I understand the need to keep company's on their toes, does it not seem like for some reason the media has been fixated on Sony over this? You'd think the actual theft of millions would be bigger news, but it was almost completely ignored. And why is there never any focus on the criminals who perpetrated these crimes? If a bank is robbed, we hear about the manhunt for the robbers, or if they have no idea who the robbers were a plea to the public for help. You never hear about the bank getting fined because it's door had a slightly out of date lock on the front.

It's interesting to see how the media treats crimes differently. A bank is robbed and the criminals are responsible. A company is hacked and it's the company who is scrutinized by the media. Again, I think regulators should have a look in cases like these to make sure our information is being safeguarded by the companies we entrust the info to. I just find it questionable how the media prioritizes when it chooses to report these incidents.

nukeitall2832d ago (Edited 2832d ago )


That is a nice spin on it as usual. However, this is negligence, not the fact that "Sony was hacked".

Sony failed to put adequate measures in place to protect the sensitive data they were collecting. You should be happy somebody is doing this considering, this company didn't care to protect your data at all by:

a) not encrypting user password

b) using out of data security software

These are things that are standard for even small blogging sites, let alone a technology company that has put a lot more effort into protecting their own assets with the security against piracy on PS3.

"You never hear about the bank getting fined because it's door had a slightly out of date lock on the front."

No, they have a security guard in front and massive security in place. These other financial companies getting hacked probably had proper security measures in place.

You don't blame the company (or bank) for getting hacked (robbed), but you do blame them if they didn't take proper security measures like Sony.

It is irresponsible and negligent of Sony, and it is even more irresponsible of consumers to accept such behavior. It doesn't matter if is MS, Nintendo or any other company.

It is even worse when a consumer twist the thing around to protect a mega corporation in the wrong!

"Yet I can't seem to find any news regarding Citigroup's fine despite the actual theft."

In case you didn't know, that theft goes out of citicards pocket. Credit card fraud is a cost the credit card company pays. There is no fine, probably because they had proper security measures.

Again, it is NOT the hack that is fined, it is the lackadaisical security Sony employed.

Anon19742832d ago

We'll see how this goes on appeal. A number of courts already threw out cases against Sony finding that their security measures were in keeping with industry standards and that Sony was not responsible or negligent, nor did their actions lead to the breach.

A judge ruled in the US already that Sony wasn't responsible. When he dismissed the case, the judge commented "There is no such thing as perfect security. We cannot ensure or warrant the security of any information transmitted to us." He also said it's clear in Sony's customer agreement that "Sony's security was not 'perfect,'" and "no reasonable consumer could have been deceived." Also is the fact that no one has stepped forward and made a claim of damages against Sony.

I imagine this will be overturned on appeal based if the previous court decisions worldwide are anything to go by. As the judge ruled previously, PSN's a free service and makes no claims to have impenetrable security. It's not like they were negligent or weren't using any security whatsoever.

If users don't like it, no one is holding a gun to their heads and forcing them to sign up. I have personal information on a number of sites and I don't expect those sites to be hack proof. I expect them to take reasonable measures to safeguard my information but the risk I take with my information online is my decision to make. If it weren't for Sony's honesty, we wouldn't even known that anything had happened, and their actions to protect consumers after the hack went above and beyond in my opinion.

As for Citibank, personal and financial information leaked and millions were stolen as a result. I don't care if Citibank ultimately has to cover it, this hack lead to an actual theft. The money to pay for this wasn't just conjured out of thin air. Someone, somewhere had to pay for it. A crime was committed and real world assets, in this case money, was legitimately stolen and has to be made up for while someone is off spending the ill-gotten gains. Obviously this is far worse than a case where no actual theft to customers took place.

If anything, the fact that the financial information was encrypted says that Sony DID have adequate security measures because even though hackers breached the system, they couldn't use anything they stole. Real monetary theft is obviously more serious than this case were financial data was still encrypted and not at any serious risk. Certainly you can recognize the difference, yet even though they happened at the same time, one case was widely reported, the other was ignored.

We'll see what happens on appeal. I'm curious to see where these guidelines are for internet security that Sony somehow breached that the ICO is basing this decision on.

iamnsuperman2833d ago

"ICO admits that “there is no evidence that the encrypted payment card details were accessed” and says they have received no complaints or reports of harm from the personal data lost and don’t think it was used by the hackers. "

Then I am unsure how they can fine and says what they said. I mean they admit themselves there is no evidence of details stolen. Also the fine is only half a million

If I was Sony I would appeal. I am not sure how ICO can say details were compromised if they admit there is no evidence to support this

doctorstrange2833d ago

I think they're more upset that stuff could have potentially been compromised, even if it wasn't. But yeah, it seems a little harsh.

And I think Sony has already paid their dues, this was costly for them to say the least.

rainslacker2833d ago (Edited 2833d ago )

I agree...I think too much was left out about what they were being fined for. It sounds like they were getting a DDoS attack and then got fined because they didn't take extra measures. OTOH, it's not unusual for big business to get those kinds of attacks often. On top of that they even admitted that it was a criminal attack.

While I think Sony should have had more security, the truth is, everything is hackable.

iamnsuperman2833d ago

"While I think Sony should have had more security, the truth is, everything is hackable."

I agree it just takes time. It wasn't too long ago that a British guy (named Gary McKinnon) hacked into the Pentagon (one of the most secure places online). It doesn't matter how much you pay. Things can get hacked which is really worrying since everything is now online

nukeitall2833d ago (Edited 2833d ago )

The problem isn't that Sony where hacked.

It was the fact that Sony:

a) didn't apply updates to their security software (in fact, it was the biggest lapse the ICO had ever seen).

b) user password were not encrypted

Those are *standard practices* that even amateur sites do to protect their users. This is common knowledge and really highlight the serious of the matter. In fact, most free software does this for you automatically. It's mind boggling that Sony doesn't do this.

See my post above.

Makes you wonder what security Sony had in place at all?


""While I think Sony should have had more security, the truth is, everything is hackable." "

Yes, but that is not an excuse for negligence and not doing *simple* standard security practices.

There is one thing that a network was attempted properly secured, and another when it is just thrown together ignoring security.

On the flip side, Sony is pretty darn good with the DRM and restrictions they put on the PS3!

supremacy2833d ago

If i weren't typing this from my vita, i would have provided you with a link. But Sony is already appealing this case on the same basis you mentioned just now.

Sony said in a statement pretty much what you just stated and are planning to appeal.

Personally i feel this is old news. Heck i thought we were through with this. I am sure Sony will be okay when all is said and done and get back to reporting that profit they are suppose to report sometime this year.

LocutusEstBorg2833d ago (Edited 2833d ago )

Probably outsourced to India. They never read the code and had no idea it was garbage.

from the beach2833d ago

Good to see action over this. Hopefully it sends a clear message that any risk to security details is totally unacceptable!

doctorstrange2833d ago

But the message was already sent - Sony lost millions and suffered terrible PR. This seems overkill.

knifefight2833d ago

I thought this was going to be about ICO the game, like as in, the one by the guys that did Shadow of the Colossus. :(

Show all comments (20)