The ICO investigation found that the attack could have been prevented if the software had been up-to-date, as appropriate updates were available.
“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough," David Smith, Deputy Commissioner and Director of Data Protection, commented the decision.
“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
He acknowledged that the fine is substantial, but appropriate, as this was one of the most serious cases of breach of the Data Protection Act that has ever been reported to the Office.
“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to," he concluded.
When deciding on the amount of the fine, the ICO took into account several mitigating factors such as the fact that the Sony was subjected to a "focused and determined criminal attack", that it had voluntarily reported it to the Commissioner's office, and that the accessed information is "unlikely to have been used for fraudulent purposes."
According to The H Security, Sony Computer Entertainment Europe is planning on appealing the ICO's decision.
Commenting on the amount of the fine, Check Point’s UK Managing Director Terry Greer-King said: “It underlines the fact that companies have to take the protection of customer data seriously, and take steps to prevent that data being accessed."
“In 2012, we surveyed over 550 C-level and IT staff at UK firms and found they reported an average of 68 new security attack attempts per week, with financial fraud and theft of customer data as the primary targets. It shows how big this problem has become, and the importance of implementing pre-emptive protection to safeguard critical data assets.”