ICO defends ‘paltry’ £250k Sony fine

The data watchdog has whacked Sony with a £250,000 fine for the PlayStation Network breach fiasco – one of the largest consumer data hacks of all time – but has immediately been forced to defend the size of the fine.
The Information Commissioner’s Office does have the power to issue fines of up to £500,000, yet director of operations Simon Entwisle claimed there were “mitigating factors” which prevented it from facing the full force of the ICO’s powers.
The ICO’s biggest fine to date was issued to the owners of Tetrus Telecoms, in November. Christopher Niebel and Gary McNeish were fined a total of £440,000 for sending up to 840,000 unsolicited text messages a day.
Under the proposed EU Data Protection Regulation – which if approved will see companies fined 2% of global turnover for data breaches – Sony’s annual revenues of £49bn would result in it facing a fine of nearly £1bn from Brussels.
The case dates back to April 2011 when the personal details of 77 million worldwide customers – 3 million of which were in the UK – were stolen. Data included names, addresses, email addresses, dates of birth and account passwords, with customers’ payment card details also at risk.
However, there are no known cases of stolen data actually being used for monetary gain.
An ICO investigation found that the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure.
ICO deputy commissioner and director of data protection David Smith maintained Sony was a business that “should have known better”.
He added: “It is a company that trades on its technical expertise, and there’s no doubt in my mind that it had access to both the technical knowledge and the resources to keep this information safe.
“The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”
Sony has said it plans to appeal against the decision, saying the ICO had admitted that “personal data is unlikely to have been used for fraudulent purposes”.
A Sony spokesman said: “Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient.”
But one industry source claims the fine sends out the wrong message. He said: “This was one of the largest data breaches in history, and the ICO had an opportunity to send out a clear message to the market. £250,000 is a paltry amount for a company the size of Sony. And, given the ICO’s record on reducing fines on appeal, it could end up paying a lot less.”
Last year, it was revealed that the ICO had slashed fines for businesses which had breached data laws in half of the cases in which it has slapped a monetary penalty, according to a Freedom for Information request.

Related stories
Text spammers hit by £440k fine
Half of data fines cut, admits ICO
77m fear fraud in PlayStation hack
EU chief sticks the boot into Sony
PlayStation hack hits credit cards

Comments are closed.