Sony Learns Price of Data Security Oversights

Recently, Sony's European arm was chastised for its data security missteps in the form of a nearly $400,000 fine handed down from the U.K. Information Commissioner's Office (ICO). In April 2011, a targeted cybercriminal attack compromised the accounts of approximately 77 million Sony PlayStation Network subscribers worldwide. In the attack, hackers were able to expose a wealth of personally identifiable information (PII), including names, addresses, dates of birth and account passwords. A limited percentage of the affected customers had their payment card details exposed as well, according to InformationWeek, inspiring approximately three million to change their banking account details and obtain new credit cards.

"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," ICO deputy commissioner David Smith explained. "In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."

Determining liability
After months of forensic investigation, data protection authorities were convinced that if Sony had kept its network software up-to-date the entire incident may have been avoided. According to InformationWeek, officials have also taken objection to the relatively weak standards governing account password creation and management.

"There's no disguising that this is a business that should have known better," Smith added. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The one potential mitigating factor in this instance is the limited amount of evidence to suggest that financial damages were incurred by customers who saw their payment card details extracted from Sony's databases. In a response emailed to TechCrunch, company officials insisted that leaked information was covered by data encryption software which would significantly reduce any functionalities available to the hackers.

While Sony regrets the unfortunate incident, spokesmen added that maintaining absolutely impenetrable networks is all but impossible amid today's highly involved threat landscape. In the statement sent to TechCrunch, they suggested the company had been doing its due diligence to engineer safe and resilient systems and intends to appeal the ICO decision at least in part.