back to article Sony coughs up £250K ICO fine after security fears

Sony has begrudgingly abandoned its fight to contest a £250,000 fine handed down by the Information Commissioner’s Office after its massive 2011 PlayStation Network data breach. The Japanese electronics giant was slapped with the fine back in January for breaching the Data Protection Act after the personal info of millions of …

COMMENTS

This topic is closed for new posts.
  1. Stu J
    FAIL

    So...

    ...relying on security by obscurity then? Bad, bad Sony...

  2. Mad Mike

    Beyond words

    Don't know when large corporations will learn. Sony were found to have been woefully inadequate in their security provisions. We're not talking about clever hackers getting around decent security here. Sony's security stank big style with very, very basic errors and omissions. How they've got the audacity to even consider fighting this fine, as paltry and inadequate as it is, I really don't know.

    All this goes to show is that another leak is inevitable. Sony's attitude means it will happen. If they were truly contrite and had learnt from their mistakes, they wouldn't have argued and just payed.

    1. Mad Mike

      Re: Beyond words

      One downvote!! Looks like someone from Sony monitoring the comments!!

      Not sure how anyone can claim Sony had decent security. The ICO report itself explains just how bad it was!! Because Sony don't seem to accept they were in the wrong, they're just likely to do the same again. Hence, another leak is inevitable. Perhaps rather than just downvote, someone could explain the flaw in the logic?

      1. Mad Mike

        Re: Beyond words

        Another downvote and no response on why!! Looks like Sony are still here!! Another good example of why they are doomed to repeat their mistake.

    2. Anonymous Coward
      Anonymous Coward

      Re: Beyond words

      How you you know the details? What you read on the internet? Please....

      Most of the things you THINK you know about this are certain to be wrong.

      There were stories that they were using an old version of Apache. This turned out to be untrue.

      There were stories that credit card details were taken, this also turned out to be untrue

      There were stories that passwords were stored in plain text, again this turned out to be untrue.

      Guess what American corp were responsible for spreading all thus FUD.....

      So tell us Mr Expert, what did they do wrong exactly, and what could they have done differently....

      1. nsld
        FAIL

        Re: Beyond words

        Dear Sony PR droid/unpaid intern

        No one gives a flying fuck how bad other providers are or the security or other issues they have.

        The grim reality is that Sony are the ones that lost a vast amount of personal information and failed dismally to secure its data or protect its customers.

        £250,000 was a cheap price to pay for lamentable performance of this magnitude.

        Enjoy your decaf soya latte!

      2. Anonymous Coward
        Anonymous Coward

        Re: Beyond words

        "There were stories that they were using an old version of Apache. This turned out to be untrue."

        They were using a "recent" version of the LAMP stack. So pretty much Swiss Cheese unless you patch it every week...

      3. Anonymous Coward
        Anonymous Coward

        Re: Beyond words

        "There were stories that credit card details were taken, this also turned out to be untrue"

        Why did Sony admin to it then? http://www.newscientist.com/blogs/onepercent/2011/05/sony-admits-12700-credit-card.html

        "There were stories that passwords were stored in plain text, again this turned out to be untrue."

        Nope - it was true: http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html

        1. Anonymous Coward
          Anonymous Coward

          Re: Beyond words

          @AC 17th July 2013 10:42 GMT

          Quite clearly you have learning disabilities, and I am sorry for that. Please ask your carer to explain this to you.

          Your fist link is SOE, which isn't PSN, and it related to 12k old cards, all of which had past expiry, and none of the security codes were taken. The link on the page you link to explains this in words that even a child could understand.

          The second link it's even Sony claiming passwords were in clear text, it's some 10yr old hacker. It's already well acknowledged they weren't in plain text, Sony themselves explaining the difference between encryption and hashing. In short, Sony were being using jargon that most didn't understand.

          http://www.networkworld.com/news/2011/042811-sony-response.html

          "The entire credit card table was encrypted and we have no evidence that credit card data was taken,"

          As mentioned by someone else. Much of the vagueness, is because the logging wasn't upto scratch. Sony couldn't be 100% sure that something was or wasn't accessed, and as any responsible company should be, had to go with the worst case scenario.

          However we now know, they actually got bugger-all. Nothing has ever turned up on line, no fraudulent activity detected nothing..... It's all a massive storm in a teacup, and no more serious than the Gawker Media hack, the Nintendo hack, or any of the other high profile hacks in recent years.

          1. Mad Mike

            Re: Beyond words

            @AC

            "As mentioned by someone else. Much of the vagueness, is because the logging wasn't upto scratch. Sony couldn't be 100% sure that something was or wasn't accessed, and as any responsible company should be, had to go with the worst case scenario.

            However we now know, they actually got bugger-all. Nothing has ever turned up on line, no fraudulent activity detected nothing..... It's all a massive storm in a teacup, and no more serious than the Gawker Media hack, the Nintendo hack, or any of the other high profile hacks in recent years."

            So, in one breath you say the logging wasn't up to scratch and therefore they don't know what was taken. Then, you say we "now know, they actually got bugger all". If you don't have logs, how do you know they didn't get anything. The fact that nothing has turned up online is no indicator of whether the data was taken or not. It depends, amongst other things, on the motive for performing the attack. Maybe it wasn't fraud, but simply highlighting how bad the security was, with the data taken then being deleted. Who knows? Certainly not Sony.

            If, on the other hand, nothing actually was taken (and there is no evidence to substantiate this), then Sony should be rather red cheeked at having fallen for such a scam that cost it so much money on the basis of something that never even happened!! Tens of millions lost on the back of something that never was!!

            I'm not really sure which is the most embarrassing for Sony. It's a close call.

          2. Mad Mike
            Facepalm

            Re: Beyond words

            @AC

            "The second link it's even Sony claiming passwords were in clear text, it's some 10yr old hacker. It's already well acknowledged they weren't in plain text, Sony themselves explaining the difference between encryption and hashing. In short, Sony were being using jargon that most didn't understand."

            As opposed to a language masquerading as English, but actually isn't because the sentences don't make any sense!!

      4. Mad Mike

        Re: Beyond words

        AC.

        I read the ICO judgement and also happen to know someone who worked for Sony in security. Also, when you say a lot of things stated at the time in various media are 'untrue', this isn't exactly correct. Sony claim 'there is no evidence any credit card information was taken'. This doesn't mean it wasn't. The reality was that Sony monitoring was so poor, they don't really know what happened!! So, you can't really say what was and what was not compromised. You can prove some was, the rest is conjecture.

        So, none of my comments were based on unsubstantiated claims on the internet (or elsewhere), but on judgements from the relevant authorities (i.e. ICO) and some personal connections.

        P.S.

        I also have personal information on some of their quality security processes during issues with my PS3 account. One of these was a request to send an image of my passport (as in the important page with photo) to them to prove who I was. Now, many people may have just done this. However, I refused as this didn't prove anything other than I was in possession of somebodies passport. In the end, they agreed I could redact everything bar the name and DOB and accepted that as evidence of my identity!! Absolute rubbish.

        And, by the way, this was AFTER they were breached!!

    3. Anonymous Coward
      Anonymous Coward

      Re: Beyond words

      What's beyond words is how Sony have been treated as the bad guys, despite doing the right thing and coming clean.

      Microsoft seem to have a free pass to cover up their Xbox Live hacking problems, which cost users REAL money...

      It's been going on for 2 years now, with no end in sight, and the problem is pushed under the carpet and trodden down...

      http://www.thesixthaxis.com/2012/02/26/xbox-live-accounts-still-being-hacked/

      http://arstechnica.com/security/2013/03/hackers-that-took-over-xbox-live-accounts-may-be-behind-ddos-attack-on-ars/

      To tell me, who is REALLY the irresponsible one???

      1. Gordon Pryra

        Re: Beyond words

        Ehh?

        Both?

        The defense of "at least we are not as bad as "other company" is a crap one. never seen it work.

        The story is not about M$'s failings, but about Sony. (need far more than a single page to talk about that)

      2. Anonymous Coward
        Anonymous Coward

        Re: Beyond words

        "Microsoft seem to have a free pass to cover up their Xbox Live hacking problems, which cost users REAL money..."

        Xbox Live has never been hacked. The only known issues around Xbox Live are for users who were conned via social engineering and similar techniques into giving up their ID, personal details and password. That's not a Microsoft issue...

      3. Mad Mike

        Re: Beyond words

        AC

        The fact that Microsoft having been getting away with something doesn't mean everyone else should get away with it as well. They should both be brought to book. Microsoft should suffer the full force of the law the same as Sony.

        P.S.

        Sony didn't 'come clean' at all. They admitted to the problem only after everyone already knew it had happened. That's completely different to admitting to something when people don't already know. Yes, it's one stage better than trying to hide it after everyone knows, but it still isn't exactly a sign of a morally righteous company.

  3. Gordon Pryra

    Says it's paying because.....

    "Says it's paying because it doesn't want to get hit by really big fines as they are 100% at fault"

    There fixed that line for you

  4. b166er

    Basically they're paying up so they're not forced to reveal how shockingly bad their system was during this time.

    I suspect it was all down to a schoolboy error, which if revealed through a legal process would be far too damaging to Sony, so they'd rather cough up than face the consequences.

    £250,000 is probably a right bargain to keep the details under wraps.

  5. Eradicate all BB entrants

    Another reason they paid .....

    ..... was because the legal bill was just about to hit £249,999.99.

  6. Tony Proudlove
    Coat

    something something linux something mumble rootkit froth whine

    Sony have a long long way to go before they can make me forget the shocking injustice and disregard for their customers they showed during this whole sorry episode. By that I of course mean subjecting me to "Don't Mess with the Zohan" as part of the PSN Welcome Back compensation package.

This topic is closed for new posts.

Other stories you might like

  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Sony responds to inflation with $3,700 gold-plated 'Walkman'
    In truth, a non-tape media player for Gen Xers with more money than sense

    What's old is new again with reboots of classic devices for gaming and music coming out all the time. But that kitsch value comes at a cost, even if the tech is from the current era.

    Audiophiles want digital music players that leave out cellular components in favor of sound-quality-maximizing gadgets – or at least that's what Sony appears to be betting on with the introduction of a $3,700 so-called Walkman this week.

    Before you ask, no it can't play actual tapes, which means it's not really a Walkman at all but rather an Android 11 media player that can stream and play downloaded music via apps, much like your smartphone can probably do. But we won't talk about that because gold plating.

    Continue reading
  • AMD targeted by RansomHouse, attackers claim to have '450Gb' in stolen data
    Relative cybercrime newbies not clear on whether they're alleging to have gigabits or gigabytes of chip biz files

    If claims hold true, AMD has been targeted by the extortion group RansomHouse, which says it is sitting on a trove of data stolen from the processor designer following an alleged security breach earlier this year.

    RansomHouse says it obtained the files from an intrusion into AMD's network on January 5, 2022, and that this isn't material from a previous leak of its intellectual property.

    This relatively new crew also says it doesn't breach the security of systems itself, nor develop or use ransomware. Instead, it acts as a "mediator" between attackers and victims to ensure payment is made for purloined data.

    Continue reading
  • California's attempt to protect kids online could end adults' internet anonymity
    Websites may be forced to verify ages of visitors unless changes made

    California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.

    Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.

    "First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Sony launches a space laser subsidiary (for comms, not conflict)
    Plans to beam data to satellites, and between orbiting birds too

    Sony on Friday launched a subsidiary dedicated to optical communications – in space.

    The new company, Sony Space Communications Corporation (SSCC) plans to develop small optical communication devices that connect satellites in low Earth orbit using a laser beam, and provide the resulting connection as a service.

    These small devices can provide high speed communication more effectively than radio, because they do not need a large antenna, high power output or complicated licenses, said Sony in a canned statement.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading

Biting the hand that feeds IT © 1998–2022