Sony Vacates Appeal of PlayStation Fine

Company Seeks to Prevent Disclosures during Court Proceedings
Sony Vacates Appeal of PlayStation Fine

Sony Entertainment Network will withdraw its appeal of a £250,000 fine - that's nearly $390,000 - for not taking appropriate steps to safeguard customers' personal information when hackers attacked its PlayStation Network in April 2011 [see Sony Breach Ignites Phishing Fears].

See Also: JavaScript and Blockchain: Technologies You Can't Ignore

"After careful consideration, we are withdrawing our appeal," Sony said in a statement. "This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits."

Britain's Information Commissioner's Office, in a report issued on Jan. 24, said its investigation found that the attack could have been prevented if the network's software had been up-to-date. In addition, U.K. authorities said Sony's technology at the time did not appropriately secure passwords [see U.K. Fines Sony over PlayStation Breach.]

The breach revealed the personal information of 77 million customers of Sony's PlayStation Network and Qriocity service, including their names, addresses, dates of birth and account passwords. Customers' payment card details also were exposed [Sony Breach Ignites Phishing Fears].

When British authorities levied the fine against Sony, company spokesman Jonathan Fargher said the Information Commissioner's Office recognized that Sony was victimized by a focused and determined criminal attack, and no evidence exists that hackers accessed encrypted payment card details and that personal data was used fraudulently.

Security 'Not Good Enough'

Still, David Smith, Britain's deputy information commissioner and director of data protection, said Sony failed to secure its customers' personal details. "The security mesures in place were simply not good enough," he said. "There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."

The attacks occurred between April 17 and 19, 2011, forcing Sony to shutter the PlayStation network on April 20. The outage lasted for more than three weeks.

Within a month of the attacks, Sony said distributed denial of service attacks camouflaged simultaneous intrusions that resulted in the exposure of the personal information [see Sony: DDoS Masked Data Exfiltration].

At the time of the attacks, Sony did not have a chief information security officer. That was remedied in September 2011, when Sony tapped Phillip Reitinger, a onetime top cybersecurity policymaker at the Department of Homeland Security, as its CISO and senior vice president [see Ex-DHS Official Becomes Sony's CISO].

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.