Some of you might remember the gigantic hack of Sony’s Playstation Network back in 2011 (which was apparently some form of retaliation soon after Sony announced they would sue PS3 hacker George Hotz). Ars Technica revealed a few days ago that the UK government fined Sony about $395,000 for their poor handling of that massive data leak.
As a reminder for those who didn’t own any PSN Account back then, the personal information of 77 million accounts on Sony’s network had been disclosed, including customers’ name and address, as well as hashed versions of the password. Sony had kept the breach secret for several days, publicly announcing the issue almost one week after it happened. They then took the PSN down for almost 3 weeks in order to fix the issue. Sony’s way of handling the situation has been judged to breach UK’s Data Protection Act according to the government’s experts.
“It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
Sony plans to appeal that decision, saying that the fine is undeserved. Almost as interesting as the piece of news itself are the comments from the community. Many gamers have pointed out that this represents half a cent per account, in other words a slap on the wrist for a company like Sony, and given the impact. On the other hand, Sony’s health was already dramatically impacted at the time by the bad image and the costs involved with the hacks, so one can wonder if UK’s fine is necessary (Sony’s stock value has been divided by 3 since March 2011. Last month, Sony’s stock hit its lowest since 1988)
My opinion back in 2011 was that Sony should not pretend to play in the same league as companies such as Microsoft or Google, if they do not have the security measures that go with it. And I’ll stick with that opinion: it’s one thing to sell TVs and video game consoles, it’s another one to handle online services and people’s wallets. We can hope that Sony have learned that lesson, and spend more time and money in protecting their customers’ personal information than they did back then. (If I were cynical, I’d pretend that if they spent as much effort in securing our information, as they spend preventing people from stealing their intellectual property, this issue would have never happened)
More details on the official Penalty Notice