Remember the Sony PlayStation Network hack of 2011?
Aside from causing the online gaming service to be taken offline for days as Sony system administrators scrabbled to secure the system, the personal information of millions of users was exposed during the hack attack.
Compromised data included of millions of customers' names, addresses, email addresses, dates of birth and passwords. Payment card details were also put at risk.
The April attack by hackers against the Sony Playstation Network heralded a series of other (over a dozen!) attacks against Sony websites around the world in the following months.
Today, the UK's Information Commissioner's Office has announced that it has issued a £250,000 fine against Sony for breaching the Data Protection Act.
David Smith, Deputy Commissioner and Director of Data Protection at the ICO, told the media that Sony should have done a better job at protecting its customers:
"If you are responsible for so many payment card details and login details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."
"There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
Sony says it has since rebuilt its Playstation Network to better secure its users' data.
Any company which is storing sensitive information about its customers should be doing everything in its power to prevent unauthorised access to the data.
That doesn't just mean ensuring that your website is written securely, and that your servers are protected with up-to-date software and security patches but also that sensitive information is encrypted securely. Then, even if the data does fall into the hands of the bad guys, they can't do anything with it.
A fine sends a strong message to other company that sloppiness when it comes to data security is not acceptable.
How many headlines do there have to be before companies take the issue more seriously?
Follow @gcluley
![Have your say - LulzSec: helpful, harmless or hideous? [VOTE NOW]](http://sophosnews.files.wordpress.com/2013/05/lulzsec-poll-thumb.jpg?w=75&h=75&crop=1)
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
Perhaps Sony's security measures were not up to par but no matter how much security you implement, if a hacker is determined enough, they get through it.
I agree that companies should do everything they possibly can to safeguard customer information but sometimes that's not enough and there's no one to blame other than the hacker!
pathetic - as if a company like Sony would notice a £250,000 fine.
sends out all the wrong messages
Many (most?) companies are concerned with the money they make from their activity and keeping costs low, so even customer security gets a back seat to those two objectives. Pathetic is right!
Regards,
In Sony's case, yes. Only because they get targeted like Microsoft, but Sony just doesn't care. Time & time again in these public articles and other articles they show how they run their business.