Sony Computer Entertainment Europe

Breach details

What Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much Redacted. Information Week stated 77 million records.
When Detected 19 April 2011
Why In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

  1. Patch systems regularly.
  2. Run regular external vulnerability scans against systems.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000
When 14 January 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known Various Sony online networks had previously been the subjects of attacks from hacktivist organisations.
Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations

A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.