Privacy Advisor

UK—Sony Fined £250,000 for Data Security Breach

March 1, 2013


By Brian Davidson, CIPP/E

The ICO has issued Sony Computer Entertainment Europe Limited (SCEE) with a monetary penalty notice of £250,000 after finding the company had failed to implement sufficient measures to prevent distributed denial of service attacks that compromised the personal information of its customers.

The notice, issued on 14 January, found that SCEE's PlayStation Network Platform was infiltrated via the attacks, allowing access to customer names, addresses, e-mail addresses, dates of birth and account passwords.

The ICO found that SCEE had failed to ensure appropriate technical measures were in place against unauthorised or unlawful processing of the personal data stored on its platform "such as additional cryptographic controls to protect passwords"; that the contravention was of a kind "likely to cause substantial damage or substantial distress" to the individuals whose personal information was compromised, and that SCEE "knew or ought to have known that such a contravention would occur" but had not "taken reasonable steps to prevent the contravention."

In a statement, SCEE said that it "strongly disagrees with the ICO’s ruling and is planning an appeal."

Brian Davidson, CIPP/E is a privacy and information advisor at Field Fisher Waterhouse, LLP.