back to article Sony coughs up £250K ICO fine after security fears

Sony has begrudgingly abandoned its fight to contest a £250,000 fine handed down by the Information Commissioner’s Office after its massive 2011 PlayStation Network data breach. The Japanese electronics giant was slapped with the fine back in January for breaching the Data Protection Act after the personal info of millions of …

COMMENTS

This topic is closed for new posts.
  1. Stu J
    FAIL

    So...

    ...relying on security by obscurity then? Bad, bad Sony...

  2. Mad Mike

    Beyond words

    Don't know when large corporations will learn. Sony were found to have been woefully inadequate in their security provisions. We're not talking about clever hackers getting around decent security here. Sony's security stank big style with very, very basic errors and omissions. How they've got the audacity to even consider fighting this fine, as paltry and inadequate as it is, I really don't know.

    All this goes to show is that another leak is inevitable. Sony's attitude means it will happen. If they were truly contrite and had learnt from their mistakes, they wouldn't have argued and just payed.

    1. Mad Mike

      Re: Beyond words

      One downvote!! Looks like someone from Sony monitoring the comments!!

      Not sure how anyone can claim Sony had decent security. The ICO report itself explains just how bad it was!! Because Sony don't seem to accept they were in the wrong, they're just likely to do the same again. Hence, another leak is inevitable. Perhaps rather than just downvote, someone could explain the flaw in the logic?

      1. Mad Mike

        Re: Beyond words

        Another downvote and no response on why!! Looks like Sony are still here!! Another good example of why they are doomed to repeat their mistake.

    2. Anonymous Coward
      Anonymous Coward

      Re: Beyond words

      How you you know the details? What you read on the internet? Please....

      Most of the things you THINK you know about this are certain to be wrong.

      There were stories that they were using an old version of Apache. This turned out to be untrue.

      There were stories that credit card details were taken, this also turned out to be untrue

      There were stories that passwords were stored in plain text, again this turned out to be untrue.

      Guess what American corp were responsible for spreading all thus FUD.....

      So tell us Mr Expert, what did they do wrong exactly, and what could they have done differently....

      1. nsld
        FAIL

        Re: Beyond words

        Dear Sony PR droid/unpaid intern

        No one gives a flying fuck how bad other providers are or the security or other issues they have.

        The grim reality is that Sony are the ones that lost a vast amount of personal information and failed dismally to secure its data or protect its customers.

        £250,000 was a cheap price to pay for lamentable performance of this magnitude.

        Enjoy your decaf soya latte!

      2. Anonymous Coward
        Anonymous Coward

        Re: Beyond words

        "There were stories that they were using an old version of Apache. This turned out to be untrue."

        They were using a "recent" version of the LAMP stack. So pretty much Swiss Cheese unless you patch it every week...

      3. Anonymous Coward
        Anonymous Coward

        Re: Beyond words

        "There were stories that credit card details were taken, this also turned out to be untrue"

        Why did Sony admin to it then? http://www.newscientist.com/blogs/onepercent/2011/05/sony-admits-12700-credit-card.html

        "There were stories that passwords were stored in plain text, again this turned out to be untrue."

        Nope - it was true: http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

        1. Anonymous Coward
          Anonymous Coward

          Re: Beyond words

          @AC 17th July 2013 10:42 GMT

          Quite clearly you have learning disabilities, and I am sorry for that. Please ask your carer to explain this to you.

          Your fist link is SOE, which isn't PSN, and it related to 12k old cards, all of which had past expiry, and none of the security codes were taken. The link on the page you link to explains this in words that even a child could understand.

          The second link it's even Sony claiming passwords were in clear text, it's some 10yr old hacker. It's already well acknowledged they weren't in plain text, Sony themselves explaining the difference between encryption and hashing. In short, Sony were being using jargon that most didn't understand.

          http://www.networkworld.com/news/2011/042811-sony-response.html

          "The entire credit card table was encrypted and we have no evidence that credit card data was taken,"

          As mentioned by someone else. Much of the vagueness, is because the logging wasn't upto scratch. Sony couldn't be 100% sure that something was or wasn't accessed, and as any responsible company should be, had to go with the worst case scenario.

          However we now know, they actually got bugger-all. Nothing has ever turned up on line, no fraudulent activity detected nothing..... It's all a massive storm in a teacup, and no more serious than the Gawker Media hack, the Nintendo hack, or any of the other high profile hacks in recent years.

          1. Mad Mike

            Re: Beyond words

            @AC

            "As mentioned by someone else. Much of the vagueness, is because the logging wasn't upto scratch. Sony couldn't be 100% sure that something was or wasn't accessed, and as any responsible company should be, had to go with the worst case scenario.

            However we now know, they actually got bugger-all. Nothing has ever turned up on line, no fraudulent activity detected nothing..... It's all a massive storm in a teacup, and no more serious than the Gawker Media hack, the Nintendo hack, or any of the other high profile hacks in recent years."

            So, in one breath you say the logging wasn't up to scratch and therefore they don't know what was taken. Then, you say we "now know, they actually got bugger all". If you don't have logs, how do you know they didn't get anything. The fact that nothing has turned up online is no indicator of whether the data was taken or not. It depends, amongst other things, on the motive for performing the attack. Maybe it wasn't fraud, but simply highlighting how bad the security was, with the data taken then being deleted. Who knows? Certainly not Sony.

            If, on the other hand, nothing actually was taken (and there is no evidence to substantiate this), then Sony should be rather red cheeked at having fallen for such a scam that cost it so much money on the basis of something that never even happened!! Tens of millions lost on the back of something that never was!!

            I'm not really sure which is the most embarrassing for Sony. It's a close call.

          2. Mad Mike
            Facepalm

            Re: Beyond words

            @AC

            "The second link it's even Sony claiming passwords were in clear text, it's some 10yr old hacker. It's already well acknowledged they weren't in plain text, Sony themselves explaining the difference between encryption and hashing. In short, Sony were being using jargon that most didn't understand."

            As opposed to a language masquerading as English, but actually isn't because the sentences don't make any sense!!

      4. Mad Mike

        Re: Beyond words

        AC.

        I read the ICO judgement and also happen to know someone who worked for Sony in security. Also, when you say a lot of things stated at the time in various media are 'untrue', this isn't exactly correct. Sony claim 'there is no evidence any credit card information was taken'. This doesn't mean it wasn't. The reality was that Sony monitoring was so poor, they don't really know what happened!! So, you can't really say what was and what was not compromised. You can prove some was, the rest is conjecture.

        So, none of my comments were based on unsubstantiated claims on the internet (or elsewhere), but on judgements from the relevant authorities (i.e. ICO) and some personal connections.

        P.S.

        I also have personal information on some of their quality security processes during issues with my PS3 account. One of these was a request to send an image of my passport (as in the important page with photo) to them to prove who I was. Now, many people may have just done this. However, I refused as this didn't prove anything other than I was in possession of somebodies passport. In the end, they agreed I could redact everything bar the name and DOB and accepted that as evidence of my identity!! Absolute rubbish.

        And, by the way, this was AFTER they were breached!!

    3. Anonymous Coward
      Anonymous Coward

      Re: Beyond words

      What's beyond words is how Sony have been treated as the bad guys, despite doing the right thing and coming clean.

      Microsoft seem to have a free pass to cover up their Xbox Live hacking problems, which cost users REAL money...

      It's been going on for 2 years now, with no end in sight, and the problem is pushed under the carpet and trodden down...

      http://www.thesixthaxis.com/2012/02/26/xbox-live-accounts-still-being-hacked/

      http://arstechnica.com/security/2013/03/hackers-that-took-over-xbox-live-accounts-may-be-behind-ddos-attack-on-ars/

      To tell me, who is REALLY the irresponsible one???

      1. Gordon Pryra

        Re: Beyond words

        Ehh?

        Both?

        The defense of "at least we are not as bad as "other company" is a crap one. never seen it work.

        The story is not about M$'s failings, but about Sony. (need far more than a single page to talk about that)

      2. Anonymous Coward
        Anonymous Coward

        Re: Beyond words

        "Microsoft seem to have a free pass to cover up their Xbox Live hacking problems, which cost users REAL money..."

        Xbox Live has never been hacked. The only known issues around Xbox Live are for users who were conned via social engineering and similar techniques into giving up their ID, personal details and password. That's not a Microsoft issue...

      3. Mad Mike

        Re: Beyond words

        AC

        The fact that Microsoft having been getting away with something doesn't mean everyone else should get away with it as well. They should both be brought to book. Microsoft should suffer the full force of the law the same as Sony.

        P.S.

        Sony didn't 'come clean' at all. They admitted to the problem only after everyone already knew it had happened. That's completely different to admitting to something when people don't already know. Yes, it's one stage better than trying to hide it after everyone knows, but it still isn't exactly a sign of a morally righteous company.

  3. Gordon Pryra

    Says it's paying because.....

    "Says it's paying because it doesn't want to get hit by really big fines as they are 100% at fault"

    There fixed that line for you

  4. b166er

    Basically they're paying up so they're not forced to reveal how shockingly bad their system was during this time.

    I suspect it was all down to a schoolboy error, which if revealed through a legal process would be far too damaging to Sony, so they'd rather cough up than face the consequences.

    £250,000 is probably a right bargain to keep the details under wraps.

  5. Eradicate all BB entrants

    Another reason they paid .....

    ..... was because the legal bill was just about to hit £249,999.99.

  6. Tony Proudlove
    Coat

    something something linux something mumble rootkit froth whine

    Sony have a long long way to go before they can make me forget the shocking injustice and disregard for their customers they showed during this whole sorry episode. By that I of course mean subjecting me to "Don't Mess with the Zohan" as part of the PSN Welcome Back compensation package.

This topic is closed for new posts.

Other stories you might like