People who are injured when riding in a vehicle driven by someone else may still be entitled to...
As has been widely reported, Sony Computer Entertainment Europe Limited has received a monetary penalty of £250,000 from the Information Commissioner’s Office (ICO) following a hacking attack which led to a leak of customer information.
The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth, account passwords and customers’ payment card details.
After investigating the matter, the ICO found that Sony was in breach of the Data Protection Act 1998 and that the attack could have been prevented if the software used in the PlayStation Network Platform had been up-to-date and passwords kept secure.
David Smith, of the ICO, said: “If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.”
He went on to say that Sony should have known better given its technical expertise and given that Sony undoubtedly had access to both the technical knowledge and the resources to keep the information safe. He considered that the case was one of the most serious ever reported to the ICO as it directly affected a large number of consumers and put them at risk of identity theft.
Following the breach, Sony has rebuilt its Network Platform to ensure that the personal information it processes is kept secure.
While the fine is small in Sony’s terms, the size of the fine shows that the ICO means business on organisations which fail to take appropriate technical and organisational measures to safeguard personal data (which is one of the eight principles under the Data Protection Act) and that how appropriate measures will be assessed depends on the resources and expertise of the business holding the data. This fine should be put in context, though – changes proposed in data protection legislation include a sanction that fines could go up to 2% of global turnover, which really is something to be taken seriously. This means that all companies dealing with personal data need to review the measures they have in place – and to keep them under review to ensure they are uptodate – to safeguard personal data.