On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network. The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates of birth, passwords, and other categories of data.
Following an investigation, the ICO declared that the breach had been “preventable” had software been kept up to date, and stated that “[Sony] is a business that should have known better”.
The monetary penalty notice redacts key details of the breach — such as the precise number of Sony Playstation accounts affected — but nevertheless reveals interesting details about how the ICO reached the decision to fine Sony £250,000, that other companies should take note of.
In particular, the notice cites aggravating factors, including, for example, the “vast amount” of personal data affected, and the ICO’s belief that Sony “should have been aware of the software vulnerability” that led to the breach. The notice also cites mitigating factors, that presumably reduced the scale of the fine, including, for example, the complexity of the Sony Playstation Network, a lack of previous security breaches, the fact that no complaints were received by Sony after the breach, and Sony’s behaviour following the breach (Sony voluntarily reported the breach to the ICO, informed data subjects, and fully cooperated in the investigation).
A short Youtube video of David Smith, Deputy Commissioner and Director of Data Protection at the ICO, commenting about the breach, was also released, and is available here.