Sony Europe fined £250,000 for 2011 PlayStation Network hacking

UK regulatory body says Sony "let everybody down" regarding the hack, but the platform holder intends to appeal the ruling.

Sony Computer Entertainment Europe has been fined £250,000 by the UK Information Commissioner's Office (ICO) for its part in the global 2011 PlayStation Network breach which forced the service offline for 24 days and compromised the personal information of millions of users. The PlayStation owner says it intends to fight the ruling.

The ICO, an independent UK regulatory office which looks to uphold information rights, said Sony had put the personal information of its customers at "unnecessary risk" and had "let everybody down" for failing to ensure such information could not be accessed during the much-publicised hack in April 2011.

"We make no apologies for the penalty in this case," said David Smith, ICO deputy information commissioner and director of data protection, in a public statement. "It's a big penalty, it's quarter of a million pounds, but this is probably the most serious breach that we've had reported to us."

The ICO investigation concluded the hack "could have been prevented if the software had been up-to-date."

"Security is first and foremost the responsibility of the business and Sony let everybody down here," added Smith.

In a statement issued to GameSpot, Sony said it plans to fight the ruling. "Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal."

"SCEE notes, however, that the ICO recognises Sony was the victim of 'a focused and determined criminal attack,' that 'there is no evidence that encrypted payment card details were accessed,' and that 'personal data is unlikely to have been used for fraudulent purposes' following the attack on the PlayStation Network."

"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient. The reliability of our network services and the security of our consumers’ information are of the utmost importance to us, and we are appreciative that our network services are used by even more people around the world today than at the time of the criminal attack."

During 2011's PlayStation Network outage there was much speculation about whether hackers had managed to obtain users' credit card information. After eight days of downtime, however, Sony said it was unlikely such details were obtained. "The entire credit card table was encrypted and we have no evidence that credit card data was taken. The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack," said Sony at the time.

Sony CEO Kaz Hirai was one of several high-ranking executives who personally apologised for the hack, and the company eventually offered its users a selection of free games as compensation for the downtime.

Got a news tip or want to contact us directly? Email news@gamespot.com

Did you enjoy this article?

Sign In to Upvote

martingaston

Martin Gaston

Hi! I'm Martin, for some reason or another I have managed to convince the people who run GameSpot that I am actually wor
164 comments
soulless4now
soulless4now

Good luck fighting that. They'll need it. 

AncientDozer
AncientDozer

Oh boo hoo. Pay the 250,000. That's like what you have in your piggy bank, Sony.

DarkSaber2k
DarkSaber2k

"This fine is unfair! Yes we built a badly-designed easily hacked network that a high school kid could have designed to be more secure, that made it easy for someone to hack in and steal all your personal information, but you can't prove they did anything illegal with it so we should be in the clear!"

Way to miss the fucking point AGAIN Sony. Christ that arrogance is gonna the sink the company in the next 5 years.

LtCmdrShepard
LtCmdrShepard

I agree. Sony are to blame for it. and i think the fine should have been much higher. They got off easy. its the one reason i stopped playing PS3 and have an Xbox, because i do not want my identity stolen

91210user
91210user

We just don't like the Japanese take our sources of witches, faires and elves which allows them to make stories for their RPG games. I wish it was SquareEnix! That's why Nintendo doesn't want the Wii to be online 24/7. It's because of this!

TrueProphecy22
TrueProphecy22

Everything is hackable.  Fining a company that has already gone to great lengths and great expenses to increase their security is not going to help anyone.

Ripper_TV
Ripper_TV

This a joke? I'd fine them for at least 10 billion. Make him go bankrupt for this!

6orange6
6orange6

well, as long as we are reading headlines that say console maker gets large fine, and not hackers traced and given large fine, this will continue. Just to add to others comments, never ever put a debit card details into a console. They may look and act like credit cards but they are hardwired into your bank account and do not offer the same safeguards. Always use prepaid cards or face the concequences.

GH05T-666
GH05T-666

where is our cash for not being able to use our playstation 3 for 2 months?

SanjuroGT
SanjuroGT

Does this explain why so many people are getting account ban messages from SCEE because my friend who is from New York got a ban notice from SCEE just because he logged into some friends hacked ps3. I feel sorry for my friend but I just find it odd that he received a ban message from SCEE instead of SCEA

thequickshooter
thequickshooter

plus sony supports pay-pal now 

so everything should be fine putting up your pay-pal on your account

thequickshooter
thequickshooter

i never.ever. gonna put a credit card on a console 

even on XBL i don't want the company to know the digits 

there is a lot of pre-paid ways to buy like maximuscards, or buying a pre-paid card in a store 

it's more expansive sure,but it's 10000times safer 

FollowY0urBliss
FollowY0urBliss

This is ONE of the reasons I don't mind paying $50 a year for XBL..

And keep in mind, I'm not trying to attack the ps3 or psn in this comment.

TTDog
TTDog

Sony got away with a limp slap on the wrist and have said they'll appeal... maybe they'll get a proper fine at the appeal hearing.

warhawk-geeby
warhawk-geeby

I can't say I particularly approve of the fine.. because to be fair to Sony in the aftermath they seriously tried hard to please their customers.  They new they were in the wrong and offered everyone free games as a sorry.

What annoys me more however is the fact the UK Information Commissioner's Office will be receiving £250k, not the people that were actually affected. Why should ICO reap the benefits here? I wouldn't want to see Sony lose anything personally but if money has to go somewhere it should go to the customers, not a branch of the government.

Absolute joke.

DeFiLeDTitan
DeFiLeDTitan

Your computer was hacked? Well, that wasn't very responsible of you, now was it? We'll have to take your money now, sorry. 

mix_yan
mix_yan

hackers will try to hack no matter what the security is. so its dumb to fine sony

tightwad34
tightwad34

I was wondering who had the authority to fine them other than the government. I guess the ICO works for them, go figure. Why now? Year and a half later. Oh and I am also wondering if anyone heard or themselves had anything bad happen as a result of the hack.

sam628
sam628

ps3 sales should cover the fine haha

sam628
sam628

xbox live is more secure than sony network 

sam628
sam628

sony got a lite fine 

ArabrockermanX
ArabrockermanX

Yep and for all the Sony fanboys defending Sony and claiming the software was up to date here it is Sony being fined for out of date software. Fanboys need to learn not to stick their nose up corporate ***es.

AfrosRockMan
AfrosRockMan

I'm disappointed that the fees are so low. Yes, nothing is hack proof. But Sony knew the risks. They were negligent in protecting our data using outdated software with vulnerabilities they knew about, plus they failed to tell us that our data was at risk after the breach that they made the despicable choice of covering up at first, so now they're paying the price. 

 If you went and hired someone to paint your home while you're away, they ended up breaking a window due to negligence, but then failed to tell you about it for as long as Sony did with our data, during which all kinds of bad things could happen, would you not hold them responsible?

hemoleech
hemoleech

They should have had better security, but it's impossible to have everything completely hack proof. Anon has even managed to hack the Pentagon.

mlcarter815
mlcarter815

Nothing more than a P.R. move by the UK regulatory board. That fine is nothing more than a slap on the wrist. 

Albelnox0
Albelnox0

Gotta love all the bashing on sony here.  Especially the people who are saying "well you shouldn't use your credit card." And yet Steam, Blizzard, Origin, and Nintendo get a pass after they got hacked too.

monson21502
monson21502

cant believe that was all they was fined... they did everything they could think of to stop hackers from modding and preventing burned games and blu-ray movies. i mean everything!! from filling discs half way full of anti pirate code to taking away features from our 60 gig ps3s. but when it came to protecting our privates sony let the door wide open!! but we were givin 2 free games and 2 monthsof psn + free.so every1 forgave them not really thinking how dirty sony did them.... but not me!! i havent bought anything from psn since then took my credit card info off my system and will never add it to any sony systems ever again!.

thechuck11
thechuck11

They should have just forced them to invest 250,000 in improved security...taking that money away from them wont help them protect people in the future...

mav_destroyer
mav_destroyer

I think this is the least of what Sony deserves. I was really disappointed with how they handled the situation and it took me months before I was able to regain access to my PSN account again (rendering their compensation useless)

Sony got themselves into a pissing contest with a group of hackers. They lost both their public image and the faith of their customers.

jtthegame316
jtthegame316

The penalty should be higher.  sony made a big time mess up. Sony fanboy will always be on there side though this arcticals comments shows even when sony are wrong

obsequies
obsequies

who cares, anyone who is dumb enough to dump credit card numbers online deserves what they risk into. for the rest of us we got free games and tightened security

DanielL5583
DanielL5583

Eh, in the games industry, $250k is chump change, frankly.

Landsharkk
Landsharkk

The facts are:

1) Sony had a known security leak in their Apache software and they did nothing for months

2) Sony failed to follow basic industry standards and encrypt user data (not just credit cards).  They also allowed this information at the front lines of their network, which is a big time no-no.  

What bugs me is that Sony thinks everything is "OK" because "'personal data is unlikely to have been used for fraudulent purposes".   Does this mean we can steal all of sony employee's personal info, just as long as we don't do anything with it?  Somehow that makes it OK? 

In reality Sony has absolutely NO WAY of knowing if the stolen personal data was used elsewhere by the thieves.  

In my opinion, Sony deserves to pay every penny of that fine.

tgwolf
tgwolf

No, I think the penalty should be higher, NOT because I am a sadistic and embittered anti-corporation freak that wants to stick it to everyone that is not as lazy as myself and actually earns their wealth, but because they are actually at fault for the loss of personal information and so on and could have done more to prevent it...and yeah, I'm a bit bitter about their pricing and the no-second-hand games thing...

Talnova
Talnova

Appeal?  Sheesh why don't they just pay it.  For sure they will spend more than that on the case by the end.

blackace
blackace

Were the hackers ever caught and arrested? Sony can't afford £250,000. They are already selling buildings just to make ends meet and try not to show another billion in losses for the 4th quarter.

JimmeyBurrows
JimmeyBurrows

Where does the money go? Is it part of the plan to bail Europe out of the debt crisis? might need a bit more than 250k

WhiteStormy
WhiteStormy

Meanwhile, the hackers the started the whole thing are still at large and no one is looking for them.

RenegadeGR
RenegadeGR

Why is the ICO demanding money? Are they gonna share the cash with people whos account got hacked? BS

Vorexum
Vorexum

The euros love money eh.

deth420
deth420

When will these euros grow up!!

endorbr
endorbr

And what does this do other than fine a company that has already lost plenty of money over this?  It gives money to a government agency to make it look like their doing something when honestly the market, consumers and Sony have already taken care of the problem.  Sony maybe could have done a better job of security to prevent this but posturing and idiocy from a government agency to fill their coffers with money for nothing and further punishing a company that was actually a victim of a crime doesn't help anything.

jayjay444
jayjay444

250k is a very small amount to pay for a company that size there lucky they didn't get sued for millions.

Metronoid
Metronoid

Crackers should be in jail. Hackers dont destroy others works.

spike6958
spike6958

Am I the only one who find it's funny that the organisation fining Sony is called ICO?

myungish
myungish

Funny how it's always the customers that suffer, but some other organisation pockets the money.

crazycat690
crazycat690

So, they're pretty much being punished for being the victim of a crime? Was any info actually leaked? Have said information been used for evil deeds? There is no "unhackable" system, so anyone, especially an organized group, who set their minds to hacking someone can do it. No amount of money or security can stop that, and whatever the hackers did it was obviously nothing serious since the only fallout have been angry people looking to make money of the crime.

If my info would have caused bad stuff, if my bank account was emptied, I'd be pissed, but nothing happened. They've already lost lots of money because of it, this seems like digging up a dead dog to put some extra bullets in it.

emperiox
emperiox

I agree with the UK on this one. If I as a customer lend my information to a company, they need to spend whatever it costs to protect it. Once I give them my information, they are responsible for it. I actually think that the UK should fine them a hell of alot more.