Remember the Sony PlayStation Network hack of 2011?
Aside from causing the online gaming service to be taken offline for days as Sony system administrators scrabbled to secure the system, the personal information of millions of users was exposed during the hack attack.
Compromised data included of millions of customers’ names, addresses, email addresses, dates of birth and passwords. Payment card details were also put at risk.
The April attack by hackers against the Sony Playstation Network heralded a series of other (over a dozen!) attacks against Sony websites around the world in the following months.
Today, the UK’s Information Commissioner’s Office has announced that it has issued a £250,000 fine against Sony for breaching the Data Protection Act.
David Smith, Deputy Commissioner and Director of Data Protection at the ICO, told the media that Sony should have done a better job at protecting its customers:
"If you are responsible for so many payment card details and login details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."
"There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
Sony says it has since rebuilt its Playstation Network to better secure its users’ data.
Any company which is storing sensitive information about its customers should be doing everything in its power to prevent unauthorised access to the data.
That doesn’t just mean ensuring that your website is written securely, and that your servers are protected with up-to-date software and security patches but also that sensitive information is encrypted securely. Then, even if the data does fall into the hands of the bad guys, they can’t do anything with it.
A fine sends a strong message to other company that sloppiness when it comes to data security is not acceptable.
How many headlines do there have to be before companies take the issue more seriously?