recent work

Sony fined £250k over data hack

Sony Computer Entertainment Europe has been fined £250,000 ($396,100) following a “serious breach” of the Data Protection Act in what UK authorities described as preventable. Absolute Data reported the hack in May 2011 in which Sony lost the credit card details of more than 70 million people. The Information Commissioner’s Office (ICO) criticised the entertainment giant for not having up-to-date security software.
The company had previously apologised for the hack which saw its PlayStation Network knocked offline for several days. In May 2011 company executives bowed in public and offered users free games to show their remorse.

The ICO’s report said technical developments had led to user passwords not being secure – leaving data such as names, addresses, dates of birth and payment card information at risk.  “If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority,” said David Smith, deputy commissioner and director of data protection at the ICO. “In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough. Sony “is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
As we at Absolute Data continue to highlight, even multi-national high-tec companies don’t get it right all of the time. Even multi-national high-tec companies with bags of resources don’t get it right all of the time.  Sony probably thought that they had information security covered, something that as consultants we hear all the time, but clearly they didn’t and suffered a major breach.  So what was at fault?  If you read the report of the Information Commissioner it sets out and implies that there are a number of possible causes:

  • Weak IT security measures at the third party network services provider,
  • Inadequate monitoring and control of the third party by Sony,
  • Inadequate data processor agreement between Sony and the third party,
  • Poor processes for development and testing system modifications,
  • A cavalier organisational culture at the third party and/or Sony
  • Weaknesses in IT and infrastructure design,
  • Ineffective or infrequent penetration testing’
  • Inadequate/inappropriate policy regarding the information held about customers.

And there are many more that could be added to the list.

The important question is what could have been done to reduce the likelihood and impact of a breach in the first place?

  • Regular training and awareness of privacy and information security threats/matters,
  • Technological tools like encryption,
  • A policy and process for rapidly applying software patches as they become available and thorough test procedures and sign off,
  • Not keeping so much data about customers in one place,
  • Better screening and auditing of third party suppliers,
  • Incident logging and review to highlight increased threat levels,

And there are many more.  One of the biggest questions is whether one off stand-alone measures have got any realistic chance of minimising breach threat and breach impact?  Our view is that a structured and strategic approach to information assurance/data governance is absulutely essential and the lack of such a system is the root cause of Sony’s problems.