The Sony PlayStation Network Hacking Case (An Analysis of the UK ICO’s Resolution)

On January 14 of this year, the United Kingdom Information Commissioner’s Office (“ICO”) imposed a monetary penalty of GBP 250,000 for a serious breach of the UK Data Protection Act of 1998 (the “Act”). The penalty comes after the Sony PlayStation Network was hacked in April 2011, compromising the personal information of millions of customers, including their names, email addresses, dates of birth and account passwords. In this article I want to highlight some important points used as criteria by the ICO to set the penalty because, even though many data protection laws are similar (or based on the same background), the ICO made what I would call “a sharp resolution”: a brilliant move and interpretation of the Act.

Sony Playstation.  Photo by Armando Becerra (2013)

Sony Playstation. Photo by Armando Becerra (2013)

The background

1)   The ICO defines Sony Computer Entertainment Europa Limited (“SCEE”) as the “data controller”: “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed; as defined in Section 1(1) of the Act:

2)   “It shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller”; as defined in Section 4(4) of the Act.

3)   Sony Network Entertainment Europe Limited (“SNEE”) operates a PlayStation Network Platform (the “Network Platform”) in a territory which covers Europe, the Middle East, Africa, Australia and New Zealand.

The clever move

Because SCEE is defined as the “data controller” with respect to the personal data provided by customers when they create an account to access the “Network Platform”, the ICO defines the “Network Platform”, including the PlayStation customer databases, as an asset administered and maintained on the data controller’s behalf by a US service provider, which is part of the Sony Group. In other words, the ICO fined SCEE because their service provider was hacked by poor security controls.  Here, the “trick” is that the ICO did not try to fine all of SNEE or the owners of the Network Platform.  They understood that the Network Platform is just a service provider to SCEE, the data controller.

The technical understanding

After the accountability analysis of the ACT, the ICO made an extensive technological evaluation to check whether SCEE, as data controller, did or not implement available updates.  It determined that the data controller cannot justify this absence of security because of the resources that were available to it at the time of the breach:

1)   The ICO is aware that the data controller made some efforts to protect account passwords. However, the data controller failed to ensure that the Network Platform service provider kept up with technological developments. Therefore, the means used were not deemed appropriate, given the technical resources available to SCEE by the time of the attack.

2)   SCEE, as data controller, failed to take the actions required to address the vulnerability that caused the breach, even though appropriate updates were available.

The monetary penalty notice does not provide details about the security weaknesses or how the data breach happened.

The aftermath

Sony’s spokesperson, in appealing the ICO’s fine, stated: “Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen its systems, building in multiple layers of defense and working to make our networks safe, secure and resilient”.

However, David Smith, Deputy Commissioner and Director of Data Protection, said that there are “no apologies” for the substantial penalty issued.

What we can learn…

Sony eventually decided not to appeal the penalty from U.K authorities.  The ICO’s resolution is a great example of how to treat privacy and data protection affairs with multinational and borderless corporations: data protection authorities can use their local data protection laws to demand accountability from international companies, because they treat personal information with local offices or just because they treat the personal data of the people protected by such laws.

Armando Becerra


4 Responses to “The Sony PlayStation Network Hacking Case (An Analysis of the UK ICO’s Resolution)”
  1. Lets see if there’s a difference when the regulations become EU wide

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

  • Blog authors

  • Copyright notice

    © Copyright 2010-2014 "Information Security Breaches & The Law".
    All rights reserved, unless noted otherwise under each author's post, page or other material.
    If you would like to discuss licensing terms, contact us at: info [at] security-breaches [dot] com.

  • Enter your e-mail address here to follow this blog and receive notifications of new posts by e-mail.

  • The “Global Information Security Breach Professionals” Group on Linkedin

  • Wordpress Blog Stats

    • 46,846 hits
%d bloggers like this: