Crap security lands Sony £250k fine for PlayStation Network hack Sony has been fined £250,000 ($395k) for allowing million of UK gamers’ details to be spilled online by PlayStation Network hackers. The UK's Information Commissioner’s Office (ICO) levied the heavy fine against Sony Computer Entertainment Europe for a serious breach of the Data Protection Act. Personal information of …
Another derisory fine that is of such little significance that big companies know the law doesn't apply to them. Obviously for an SME a £250k fine could be a death sentence, but that doesn't apply to big companies.
Moreover, if the cost of the cleanup is going to be around 400 times the value of the fine (and that's overlooking the cost of reputational damage), let's do away with the ICO, and save the £20m a year that they cost, plus all the red tape for those businesses that do try and comply.
You do know that everything you read on the Internet isn't true?
LOL at actually believing they ran LAMP on PSN.... Even the report of out of data Apache were hoax and part of Microsoft's FUD stirring...
When will the ICO investigate all the Xbox Live account emptying that's been occuring for the last 2 years, where gamers are losing REAL money.. The answer is, they won't because Microsoft have done a great job of covering up the problem, unlike Sony's open and honest approach....
quote: "When will the ICO investigate all the Xbox Live account emptying that's been occuring for the last 2 years, where gamers are losing REAL money.. The answer is, they won't because Microsoft have done a great job of covering up the problem, unlike Sony's open and honest approach...."
OK, I'll bite :)
a) read the T&Cs and the EULA for XBox Live and MS Points; they specifically claim that once you turn cash into Points, it no longer has a monetary value; someone nicking all your Points (which they can't do directly, instead it gets spent on FIFA 13 players or some shit) has not relieved you of anything with a direct monetary value, according to the T&Cs / EULA you have already agreed to. Stupid, but apparently legally binding; you have not lost "real money", you've lost a bunch of "game coupons" with a face value of <0.0001p.
b) having a password of "password" or "abc123" does not, regardless of the backend security used, make your account secure. How many of these breaches were of accounts where they had been dictionary cracked due to lax password practises, instead of directly attributable to shoddy MS backend practises? I'm not (deliberately, anyway) an MS apologist, but I do know that some people use crap passwords, and then use the same crap password everywhere.
A friend of mine had his Live account cleared of points because he used the same email address and password as his PSN account (which was leaked in the attack). That particular cleanout could be easily attributed to Sony, not MS. It could also be easily attributed to him being an idiot and reusing the same credentials for both services. How many other people are in a similar boat?
I'm going to assume that you have had you Live account cleaned out, which is why you have a bee in your bonnet regarding this. If this is the case, can you confirm that your password was unique among all your accounts, strong, and that you used a different email address from any used on sites with weak / nonexistent security (preferably also unique amongst all accounts you hold)? Bear in mind that "Average Joe wouldn't, so I don't see why I should have to" is not going to get you any sympathy from me; sorry to rain on your parade, but the easy availability of domain names, and hosts with MPOP mailboxes, means that using unique addresses for everything is actually quite straightforward, if you don't want to cheap out on your account security.
<rant>
I'm minded to start a company that offers to rejig all your physical locks to run from the same key; it's the physical security equivalent of reusing the same password, so surely a majority of people will be happy to give up the extra security for the increased simplicity? And when someone clones their key and cleans them out, they can just blame me for making the key easy to copy or something, instead of examining why they, deliberately, chose to cripple their security in the name of laziness :)
</rant>
Well, yes and no. The underlying mechanisms may allow for good security, but security isn't just about the mechanisms. It's also about the users running sensible practices as well. You could argue that any solution based on userids (or email accounts or something) and passwords is never secure as it allows the user to reduce the security close to zero if they choose silly passwords etc.
Security is software, hardware and procedures from all involved, not just Microsoft (in this case).
Sorry, I should add that I don't believe any system using userids and passwords can ever be secure. You're simply playing the odds. Any password can be cracked if given enough. The reality is that provided your password is not an obvious one (such as 'password' etc.) and is more than say 6 characters long, it can be secure. The biggest problem with most sites at the moment is that they don't have a method of disabling and locking an account if too many attempts at the password are made. If the account is locked and an extended mechanism has to be followed to reactivate it, brute force and dictionary attacks etc. can't work. You can make your password longer and more and more complex, but ultimately, you're simply playing an odds game, which ultimately, you'll loose.
Ah. Now you're changing your statement. You said their security was good. I simply pointed out that security is more than just infrastructure etc. and also about how people use said infrastructure. Yes, to our knowledge, their infrastructure has been secure and that's true. However, that wasn't what you said.
Sony have previous stated that their infrastructure was Linux based, and Sony's use of Apache is a matter of public record.
Microsoft's FUD stirring?! What? Are you seriously claiming that Microsoft somehow managed to publish statements on behalf of Sony? You are full of shit....
I remain amazed about this for three reasons.
1. Someone dared take on a major business entity such as Sony.
2. Sony have the audacity to claim it is being unfairly treated and are planning an appeal. Their security was pitiful, yet they're spending their entire time blaming everyone but them.
3. The fine is pitiful. Given the magnitude of the loss and the data involved, the fine should have been orders of magnitude greater than £250k. Not sure what the ICOs limits are, but double digit millions and maybe higher should be the fine for this level of negligence.
"According to the bootnote, the ICO's limits are only £500k anyway so double-digit millions was, sadly, never going to happen."
Yes. That limit should be removed, and the fine should be based on the number of people who's details were involved - say, a tenner per person. Millions of people affected? A fine of tens of millions.
Yes, rather double standards here. In America, fines for say copyright infringement are on a per track basis. So, a few thousands and the fine is a lot of money. So, by their logic, if any action is brought in the US, the fine should be on a per person impacted basis, with each case being worth a couple of thousand. Now, that would be a fine. Never see it happen though.
In this country, this case simply sends the message that you can be totally negligent in your security and lose important and financial information on millions, but the fine isn't even a quid a time. Pathetic. Rather than encouraging firms to implement the right security and take information security seriously, this rather does the opposite. Arguably, the ICO are operating against their brief.
> the fine should be on a per person impacted basis, with each case being worth a couple of thousand
Huge fines per incident are only for individuals and small fry companies. In the US people might believe corporations are people too my friend but they are so much more with a lot more rights and lot less responsibilities.
Surely the ICO is having a laugh here.
£250k is a derisory sum for Sony and given the size of the organisation is likely to be written off as pocket change.
Basically the ICO is saying that scrimping on security, thereby compromising millions of users' accounts, card details etc (as per the ICO's CMP statement) is actually worthwhile to Sony as it would have cost them a lot more to implement the security controls in the first place.
I bet Brighton and Sussex Hospital Trust (£325,000 CMP) is over the moon about this....
Just out of curiosity, what was the black market value of the user data? If it's over 250k then they're laughing, and it could be a new revenue stream for unscrupulous companies. Just sell their user data to the highest bidder, say it was hacked, take the fine & pocket a tidy sum.
Are other countries following suit? as it wasn't just UK users affected
True if we fined them millions then other countries would be like "I'll have some of that!" and do the same which would have a cumulative effect (Though arguably, justifiably so) which would really do some (maybe too much) damage
on the other hand if we expect sony to be punished by multiple countries and therefore think our fine is ok as it'll be part of a great punishment but then that never happens then we look silly
The way, believe it or not, to make this proprtional and fair to suit both points above would be a fine per user of each country levied by that country, but we all know that's too much effort for the ICO, they're too busy waiting for the NHS to report themselves some more
and focused on the sensationalist stuff.....
http://www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx
* Personal data is unlikely to be used for fraudulent purposes
* No complaints received to date.
* There is no evidence to suggest that ENCRYPTED payment card details were accessed.
"* Personal data is unlikely to be used for fraudulent purposes
* No complaints received to date.
* There is no evidence to suggest that ENCRYPTED payment card details were accessed."
If personal data (such as DOB, address etc.etc.) that was all taken is unlikely to be used for fraudulent purposes, why does the ICO warn everyone to take great care of just such data? What about all the fraud that goes on at the moment, using exactly this sort of information? Stupid statement.
If no complaints have been received, this is simply because people realise it's a pointless exercise!!
No evidence of ENCRYPTED payment card details being accessed? What about unencrypted?
Sony never learnt out of this anyway. I had to do something with my sons account and Sony tried to insist on me sending them a scan of my passport, with picture and all the details!! That couldn't be used for dodgy purposes could it!!
Yeah, cos personal data is often compromised without being used for fraudulent purposes, isnt it? I mean, its not like that would be the reason it was accessed or anything.
What is more interesting on the actual CMP notice itself, is the bits that have been redacted. The number of data subjects appears to be too secret to tell the public and what was para 7 all about?
Dodgy.
"Yeah, cos personal data is often compromised without being used for fraudulent purposes, isnt it?"
That's the point, Nobody knows for sure if anything was ever taken. I know it's nice to play the Sony hate game and pretend it's a given that there was. However nothing has ever surfaced, no increases in fraud as a result, no mass hacking as a result of reuse of logins/passwords/DOB The problem is, there is just no way of proving that 100%, so Sony have to assume they did (even thou they almost certainly didn't).
What's the biggest crime here, is Sony have been dragged over the coals for doing the RIGHT thing and coming clean and open and honest, yet Microsoft pushing their Xbox account hacking problems under the carpet goes by without anyone caring. Try telling me that's justice. It's not, it's the Internet kangeroo court justice at work, along with Microsoft's spin doctors at work.
"That's the point, Nobody knows for sure if anything was ever taken. I know it's nice to play the Sony hate game and pretend it's a given that there was. However nothing has ever surfaced, no increases in fraud as a result, no mass hacking as a result of reuse of logins/passwords/DOB The problem is, there is just no way of proving that 100%, so Sony have to assume they did (even thou they almost certainly didn't)."
I think you're missing the point here. Our silly legal system generally bases the penalty on what happens rather than what could have. The fact that the data was or was not used fraudulently is actually irrelevant. The important part is that Sony took negligent care of your data. For example. If I paid you to look after my home whilst I was on holiday and came home to find all the windows and doors open, I'm likely to be somewhat p**sed. If all the contents are missing, I'll be even more p**sed. However, even if the contents are untouched, I'll still be heavily p**sed, just relieved that you/I got away with it. The crime is leaving the windows and doors open. Whether the stuff is nicked or not probably comes down to pure luck.
Similarly, if someone falls asleep at the wheel and crashes into a field, he'll probably face a bigger insurance premium etc., but that's all. Police are likely not to even be involved. However, if the same person sell asleep at a different place and crashed into a crowd of people killing several, they'd probably end up in jail etc.etc. However, the crime is falling asleep. Whether you kill anyone or get away with it is pure luck.
Therefore, Sony are guilty of the crime of negligently storing your information and making it easily available for people to steal. Whether someone does or does not could well be down to pure luck. In other words, the outcome is not really relevant in many cases to the size and magnitude of the crime. The outcome is often unpredictable, very different for the same crime, but the penalty should be the same for both. Why should someone face a smaller penalty simply because they got lucky?
Para 8 says
"(REDACTED) million customers had registered payment card details to their account although there is no evidence that the encrypted payment card details were accessed. (big bit REDACTED) and the Network Platform team did not detect any unauthorised activity until 19 April 2011."
This kind of implies that there is a good chance the access would have gone unnoticed and may have taken place for a significant length of time (as that information is also REDACTED.....).
Hardly reassuring, is it?
I have just read the ICO notice, and think it would be interesting to see the blacked out sections.
What surprised me most, was that Sony has until 14th Feb 2013 to make the £250,000 payment by cheque, however there is an early payment discount which allows a 20% less (£200,000) payment if made by 13th Feb 2013.
How can you get a 20% discount for 1 day early, thats ridiculous! (and i'm a Sony fan)
There was someone from the ICO on BBC News this morning and he was asked why the fine was so relatively low. He attempted to argue that there were mitigating factors, one of which was the loss of revenue that Sony had suffered as a result of a lack of customer trust. In effect, he was claiming that the lost business was tantamount to a fine. I find that to be an absolutely ludicrous argument and it certainly wouldn't be applied to other sectors. I'm sure sales of Gary Glitter records dropped drastically following his arrest and conviction which have an impact on his earnings, I don't think anybody would even start to argue that his punishment should be more lenient because he had suffered financially as a result of his actions.
Sony must have expected it? After they went for young Mr Hotz they must have realised that a lot of hackers were getting seriously hacked off.
While I am sure George had nothing to do with it the people that did this were doing it to get back for what they saw as an attack on one of there own.
While I in no way condone what happened, Sony really should have sen it coming. The fine is risibly small but the costs to Sony were not insignificant and could, so easily, have been avoided.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
