Sony Drops Appeal of PSN Hack Penalty

[Andy Chalk]

Sony Drops Appeal of PSN Hack Penalty

Sony has dropped its appeal of a £250,000 fine over the 2011 PlayStation Network security breach, saying that continuing the fight would require it to expose "sensitive security data."

The PlayStation Network suffered a rather catastrophic security breach [http://www.escapistmagazine.com/news/view/109469-Sony-Warns-That-PSN-May-Be-Offline-for-Another-Couple-of-Days] back in 2011, as you may recall, which landed it in all sorts of hot water. Among those miffed by Sony's failure to maintain the security of its users' personal information is the Information Commissioner's Office in the U.K., which slapped the company with a fine of £250,000 ($377,000) in January.

Sony appealed the fine, naturally, but has now decided to drop the matter, saying that while it still disagrees with the outcome, it cannot continue to challenge the decision without revealing confidential PSN security information. "This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding," a Sony rep said. "We continue to disagree with the decision on the merits."

When it handed out the fine, the Information Commissioner's Office acknowledged that Sony had been targeted by a "determined criminal attack" but nonetheless declared that "the security measures in place were simply not good enough," adding, "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority." Following Sony's decision, the ICO said in a statement that it "welcomed" the outcome.

Sources: V3 [http://www.bbc.co.uk/news/technology-23313535]


Permalink

 

[CriticalMiss]

"This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding

Notice how they say they have a commitment to protecting the network security but say nothing user information. Methinks they are possibly trying to cover up that they had shitty systems in place at the time and an appeal would highlight that (again), which could lead to more trouble. Quit while you're behind, and all that. [/tinfoilhat]

 

[Cid Silverwing]

We haven't forgotten, Sony.

I bet any braindead script kiddie with the most basic of tools can gain surface access to Sony's servers, much less break into them entirely and make off with all the credit card information.

By the way, Sony is a Japanese company. I would expect more discipline from those guys.

 

[michael87cn]

Yeah, I'm sure fining them a massive sum of money will help them fund improvements to their security.

Pretty sure this was just a cash grab, abusing legal procedures.

I don't blame Sony at all. Pretty sure almost anything can be hacked if someone is determined enough.

Hell, plenty of legit websites have malicious code in their ads. Doesn't mean the company is incapable of protecting their shit. Yes I realize infected ads are very different from the subject matter, but its a point that stands. Nothing is 100% safe and people are of course always very accusatory and upset when they get scared.

 

[Camarilla]

Yeah, I'm sure fining them a massive sum of money will help them fund improvements to their security.

Pretty sure this was just a cash grab, abusing legal procedures.

I don't blame Sony at all. Pretty sure almost anything can be hacked if someone is determined enough.

Hell, plenty of legit websites have malicious code in their ads. Doesn't mean the company is incapable of protecting their shit. Yes I realize infected ads are very different from the subject matter, but its a point that stands. Nothing is 100% safe and people are of course always very accusatory and upset when they get scared.

Why is it anyone but Sony's responsibility to pay for their security? They don't need help paying for their operations.

The fact you claim this is a cash grab and that you don't blame Sony implies you didn't actually read into the decision (You can read a version modified for public release here [http://www.ico.org.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx]). Their security system at the time of the leak was outdated, leaving a vulnerability that was exploited to access the network, a vulnerability that could have been fixed had Sony done it. As such, their slowness in fixing a known exploit lead to millions of people having their private information accessed and taken. Because of this, they were found in breach of the UK's Data Protection Act of 1998, which is punishable by a fine, and the extent of the breach, in the orders of millions of people, as well as the severity of the type of information stolen (payment details which could feasibly be used for card fraud), lead to a substantial fine.

This was a massive leak of information from a multinational technology company which should have been completely capable of protecting said information better than they did. Sensitive information which could have severely affected millions of people's lives. In what way should this not be punished?