Sophos Cloud Optix
Sony has thrown in the towel on its appeal of a £250,000 fine ($377,500) imposed after its PlayStation Network was hacked in April 2011.
The UK Information Commissioner’s Office (ICO) imposed the fine in January after an investigation showed that the attack could have been prevented if Sony’s software had been up to date.
On top of that, the ICO, finding that technical developments led to passwords not being secure, also charged Sony with negligence for failing to protect PlayStation Network (PSN) users.
The breach was huge.
An apologetic Sony admitted within a few weeks that it was contacting users about 77 million possibly affected accounts.
Breached personal information of those millions of customers included names, addresses, email addresses, dates of birth and account passwords.
It was feared at the time that payment card details were also compromised.
Sony said that the credit card data was, in fact, encrypted, but the strength of the encryption was a question mark it didn’t address.
According to the BBC, Sony said on Monday that it still disagrees with the verdict but that keeping up the fight would risk exposing sensitive security data.
What does that mean? One could conjecture that were Sony to keep fighting the fine, it might have had to let the light shine in on the strength of the encryption that it claims was protecting its credit card data, but at this point, only Sony knows what sensitive security data it’s talking about.
This is what a Sony spokesman told the BBC:
"This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding.
"We continue to disagree with the decision on the merits."
Sony can continue to disagree for as long as it likes, but let’s just hope that the company means what it says when it claims to be continually working to make its networks “safe, secure and resilient” from attacks.
As it is, gaming companies have become a favorite toy for hackers to bat around for fun and profit.
Some recent companies that have fallen prey:
- In early July, Hackers attacked Ubisoft’s account database, getting at user names, email addresses and encrypted passwords.
- Konami has revealed that from 13 June to 7 July, it spotted 35,000 successful logins after hackers hit it with 4 million attempts. Names, addresses, dates of birth, telephone numbers, and email addresses may have been exposed.
Password changes were necessitated by all of these incidents.
And even if credit card data was properly encrypted at Sony or wasn’t breached during the more recent attacks, these breaches are, nonetheless, still potentially dangerous.
Exposure of personal information can lead to criminals breaking into users’ other accounts (which is why you should always use unique passwords), as well as phishing scams or malware attacks that can be all the more convincing given that scammers know your email and snail mail addresses.
The stakes are high, and the criminal element obviously finds online gaming particularly appealing.
Be careful, gamers – it’s a jungle out there.
Image of game over courtesy of Shutterstock.
It is really amazing to me they got off that easy. I mean $377,500 seems like a lot, but not when you think about the fact that this is SONY we are talking about. The CEO can probably shake that much out of his couch cushions.
Shoot, they probably dropped the appeal when they realized they could save more than that by just not having to pay their lawyer that month.
The fine is tiny but the precedent it sets might be far reaching.
The company was found responsible because it wasn't up-to-date on patches.
It seems like there is a new gigantic privacy breach at least once a week. Will all of those other companies start facing lawsuits, as well?
Should they?
How about leaving Sony alone and fining the hackers $10 million? That seems more fair.
I agree, but try to find them in the first place.
I believe they did find some of them.
Nothings ever full proof but I hate Sony's response to this attack.
Shortly after the attack, Sony changes its in terms and conditions which now prevents them form been used by users or groups of users and preventing the laws of your own country from effecting their terms and conditions. An absolute power dictatorship?
All we needed was reassurance that they would investigate the matter, additional security would be put in place to prevent this matter. Optionally (but advisably) offer some minor compensation to their customers.
And and a 250k fine, for a massive electronics company not even worth their time or lawyers fees to dispute