Sony Computer Entertainment Europe has been fined £250,000 by the UK Information Commissioner's Office (ICO) for its part in the global 2011 PlayStation Network breach which forced the service offline for 24 days and compromised the personal information of millions of users. The PlayStation owner says it intends to fight the ruling.
The ICO, an independent UK regulatory office which looks to uphold information rights, said Sony had put the personal information of its customers at "unnecessary risk" and had "let everybody down" for failing to ensure such information could not be accessed during the much-publicised hack in April 2011.
"We make no apologies for the penalty in this case," said David Smith, ICO deputy information commissioner and director of data protection, in a public statement. "It's a big penalty, it's quarter of a million pounds, but this is probably the most serious breach that we've had reported to us."
The ICO investigation concluded the hack "could have been prevented if the software had been up-to-date."
"Security is first and foremost the responsibility of the business and Sony let everybody down here," added Smith.
In a statement issued to GameSpot, Sony said it plans to fight the ruling. "Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal."
"SCEE notes, however, that the ICO recognises Sony was the victim of 'a focused and determined criminal attack,' that 'there is no evidence that encrypted payment card details were accessed,' and that 'personal data is unlikely to have been used for fraudulent purposes' following the attack on the PlayStation Network."
"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient. The reliability of our network services and the security of our consumers’ information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack."
During 2011's PlayStation Network outage there was much speculation about whether hackers had managed to obtain users' credit card information. After eight days of downtime, however, Sony said it was unlikely such details were obtained. "The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," said Sony at the time.
Sony CEO Kaz Hirai was one of several high-ranking executives who personally apologised for the hack, and the company eventually offered its users a selection of free games as compensation for the downtime.