ICO levies a heavy fine for breach of the Data Protection Act by Sony
In a recent high-profile case the Information Commissioner's Office (ICO) has issued a significant financial penalty against Sony, demonstrating the commercial ramifications of businesses not taking adequate measures to protect data and comply with data protection laws.
The penalty against Sony was issued following the hacking of their Network Platform in April 2011, which led to the compromising of the names, dates of birth, addresses, email addresses and account passwords of tens of millions of their customers.
As a significant number of customers had registered payment card details to their accounts there was concern that customers' payment card details were also at risk, potentially exposing customers to identity theft.
Sony was held to be culpable by the ICO, for having failed to take action to address a vulnerability in its Network Platform, despite the availability of updates which could have prevented the hacking of customer data.
As there had been several Distributed Denial of Service (DDoS) attacks on Sony group's various online networks, the ICO said that Sony should have anticipated further attacks were likely and taken measures to remedy the security failings in the Network Platform.
In light of the amount and nature of the information which was compromised, the distress caused to customers, and the potential for them to be exposed to fraud, the ICO issued a fine of £250,000, exactly half of the maximum fine possible in the circumstances.
Sony has stated that it will appeal the decision, pointing out that the ICO acknowledged that Sony was the victim of "a focused and determined criminal attack" and that "there is no evidence that encrypted payment card details were accessed".
David Smith, Deputy Commissioner and Director of Data Protection said "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority". He also said of Sony "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
This penalty shows that the ICO will not hesitate to levy significant fines when there have been instances of personal data being unduly compromised and highlights the importance of businesses having in place data protection and information security policies and procedures to ensure that data in all forms is protected.