July 15, 2013
Sony To Pay ICO Fine To Avoid Revealing Security Secrets
Michael Harper for redOrbit.com - Your Universe Online
Sony has said they will not be appealing a $376,000 fine levied against them earlier this year by the UK's Information Commissioner's Office (ICO). The British organization tagged the company with this fine following 2011's attack on their PlayStation Network by members of the hacking group Anonymous. The attack on the network left some 70 million registered users unable to sign in to their accounts and exposed the information of those who had entered competitions hosted by Sony.
Last January the ICO, a British watchdog group, found Sony ultimately responsible for this breach and accused them of not protecting user information. The organization fined Sony $376,000, a decision which Sony immediately said they would appeal. According to V3, Sony has now agreed to drop the appeal and pay the fine to drop the investigation rather than have their security procedures revealed.
The ICO announced this news on Twitter, writing: "#Sony CEE confirms it will not be appealing 250k (pound) penalty after serious #DPA breach." Sony says this willingness to pay the ICO doesn't indicate any wrongdoing on their part but that they simply didn't want to have their security procedures revealed as a part of an ICO investigation.
"After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits," explained a Sony spokesperson to V3. The ICO was pleased with this decision, saying in a statement: "We welcome Sony Computer Entertainment Europe Limited's decision not to appeal our penalty notice following a serious breach of the Data Protection Act."
When they first lobbed the fine at Sony, the ICO claimed the company had failed to uphold the Data Protection Act by using weak password encryption.
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," explained David Smith, deputy commissioner and director of data protection for the ICO last January.
Sony disagreed with these charges and said hacking is simply becoming an increasingly sophisticated and common aspect of modern life.
"Sony Computer Entertainment Europe strongly disagrees with the ICO's ruling and is planning an appeal," read a statement earlier this year.
"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defense and working to make our networks safe, secure and resilient."
Some of the hackers responsible for breaking into Sony's PSN database stores have been charged for these attacks, including hacker Cody Kretsinger from Tempe, Arizona. The Lulzsec member was sentenced to one year in prison, 1,000 hours of community service and a $603,663 fine.
Kretsinger's accomplice, Raynaldo Rivera, has also pled guilty to charges from 2011's attack on Sony. Following the attack, the hackers claimed they targeted Sony merely to show their customers how weak their privacy procedures were.
"From a single injection we accessed EVERYTHING," the hacking group said in a statement at the time. "Why do you put such faith in a company that allows itself to become open to these simple attacks."
They later added: "They were asking for it."