Published on 24 Jan 2013 Sections , , ,

Sony fined £250,000 over poor PlayStation security

Sony is fined £250,000 by the UK’s data protection watchdog for failing to safeguard the personal details of millions of customers using its PlayStation Network.

A Playstation controller (pic: Reuters)

The technology giant’s PlayStation gaming network came under attack in April 2011, when hackers overloaded its computer servers.

During the attacks, hackers had access to a trove of personal information including names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.

“There’s no disguising that this is a business that should have known better.

“It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe,” said David Smith, director of data protection for the Information Commissioner’s Office (ICO).

‘Out of date software’ blamed

The report blamed out-of-date server software at Sony Network Entertainment Europe and said that, although the company had tried to protect passwords, that protection was also outdated and could be circumvented.

It also highlighted the fact that Sony had been targeted by hackers prior to the PlayStation hack, and should have known that information was at risk.

The PlayStation Network allows users of the games console to enter their credit card details into Sony’s servers in order to buy games and extra features.

Some users are unimpressed with the fine.

Lee Deeble, who believes his credit card was used by criminals following the Sony hack, said: “This is a drop in the ocean for a company like Sony, it’s a tiny fraction of their profits.

“They weren’t good at the time about communicating with people what was happening, and even now we still don’t really know what went wrong, or what they’ve actually done to fix it. They lost a lot of goodwill.”

Maximum fine is £500,000

The maximum fine available to the ICO for such a breach is £500,000.

Sony says it will appeal the ICO’s ruling and highlighted the fact that there is no evidence that card details were in fact accessed.

“Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient.

“The reliability of our network services and the security of our consumers’ information are of the utmost importance to us,” said a spokesman.

The PlayStation Network attack came at a febrile time when so-called hacktivists from the Anonymous online group targeted large corporations.

Sony had attracted the hackers’ anger after it threatened legal action against George Hotz, a computer expert who had published details of how to hack into a PlayStation console.

The hackers then targeted PlayStation Network’s servers with a Distributed Denial of Service (DDoS) attack, in which the computers were flooded with requests and eventually crashed. It was during these attacks that the personal information was stolen.