We use cookies to track usage of our site. Details of these can be found on our Cookie Policy. You may choose to decline all tracking cookies, but if you do some key features may not work as expected.

2021-12-06
Legal Articles

Data protection - Sony fined £250,000 for data security breach

Home / Knowledge base / Data protection - Sony fined £250,000 for data security breach

Posted by Pete Maguire on 08 March 2013

Pete Maguire - Commercial Contracts Lawyer
Pete Maguire Partner - Head of Commercial
Sign up for updates

Share article

The UK Information Commissioner’s Office (the “ICO”) has fined Sony £250,000 following a breach of security of its PlayStation Network Platform.

In April 2011, a group of hackers attacked part of the PlayStation Platform compromising the personal information of millions of Sony customers, including their names, addresses, email addresses, dates of birth, account passwords and in some cases, credit card details.

ICO’s findings

The ICO determined that Sony had committed a serious breach of the Data Protection Act 1998. It had failed to ensure that appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on its servers (breaching the seventh data protection principle). 

The ICO considered a number of aggravating and mitigating factors, including the nature and effect of the breach, Sony’s behaviour and the impact on Sony. 

Aggravating factors:

  • The nature and vast amount of personal data placed at risk meant that the contravention was considered particularly serious.
  • Sony should have been aware of the software vulnerability, acted sooner and had sufficient resources to address the security issues.
  • Sony has sufficient financial resources to pay a monetary penalty up to the maximum without causing undue financial hardship.

Mitigating factors:

  • Sony was subject to “a focused and determined criminal attack”.
  • Sony had taken steps to secure some aspects of the PlayStation Platform and there had been no similar security breach in the past.
  • The compromised personal data was unlikely to have been used for fraudulent purposes and the ICO had not received any complaints.
  • Sony voluntarily reported the contravention to the ICO and had subsequently been fully cooperative with the ICO investigations. 
  • Sony had taken substantial remedial action, which included informing the affected data subjects and offering reparation in the form of a “welcome back” package where appropriate.
  • The security breach had had a significant impact on Sony’s reputation.

Comment

Although the maximum fine that can be levied is £500,000, this is the largest penalty awarded by the ICO against a private company to date. 

The case highlights that organisations that process consumers’ personal data need to remain vigilant to data security and ensure that they have appropriate, effective and up to date security measures in place to protect all personal data stored and processed on their computer systems. 

In the event of a breach occurring, data controllers should consider making a voluntary notification to the ICO and co-operating fully with the ICO’s investigations, as this may be taken into account by the ICO to reduce the level of the penalty.

Tags: Commercial contracts Commercial litigation

Share article

Pete Maguire - Commercial Contracts Lawyer

About the author

Pete Maguire

Partner - Head of Commercial

Pete is the Practice Lead of the Outsourcing, Technology and Commercial Team. He is a commercial contracts lawyer specialising in the drafting and negotiation of outsourcing and commercial contracts.

Pete Maguire

Pete is the Practice Lead of the Outsourcing, Technology and Commercial Team. He is a commercial contracts lawyer specialising in the drafting and negotiation of outsourcing and commercial contracts.

Recent articles

People services law banner
07 December 2023 The WHorld of Employment Law Episode 2: Christmas Parties!

Season's greetings from Wright Hassall! Welcome to a festive themed second episode of The WHorld of Employment Law with Kash Dosanjh, Associate and Sarah Price, Solicitor as they discuss Christmas parties. During the episode, Kash and Sarah discuss common issues that they have come across as a result of work parties and offer advice to employers on what they can do to mitigate this risk.

Read article
Medical negligence banner
07 December 2023 GP remote consultations prove largely effective

Fears that remote consultations with GPs could be unsafe, leading to misdiagnosis of cancers and other potentially life-threatening conditions, such as stroke and heart attack symptoms, have been largely assuaged by a recent Oxford University-led research study 'Remote by Default'. Having looked at the connection between remote consultations and safety incidents it concluded that for most patients the risks are minimal.

Read article
Real estate law banner
05 December 2023 Is ‘hope value’ a help or hindrance?

'Hope value' was originally introduced to ensure that landowners would receive existing use value (EUV) of their land, plus a premium to reflect future lost earnings. Many now argue that such payments are anachronistic and responsible for the artificial inflation of land prices, so the the Levelling Up and Regeneration Act 2023 (LURA) now gives the Secretary of State the ability to remove, or cap, hope value from CPO-related compensation payments.

Read article