Sony Computer Entertainment Europe

Breach details

What Loss of personal data (names, addresses, email addresses, dates of birth, poorly-protected account passwords). Customers’ payment card details also potentially at risk.
How much Redacted. Information Week stated 77 million records.
When Detected 19 April 2011
Why In what was perhaps one of the most infamous breaches in recent times, attackers deliberately breached the Sony Playstation Network Platform security and compromised the confidentiality of the information stored.

BW Comments

This is the most heavily redacted monetary penalty notice published by the Commissioner. The details of the breach in the MPN are superficial, although there is much general information available elsewhere on the Internet. Essentially the attackers exploited a system vulnerability and extracted data including personal data, poorly-hashed passwords and encrypted payment card data. The MPN makes it clear that the exploited vulnerabilities were publicly known, and that ‘appropriate updates were available’.

The lessons that all organisations can learn are simple:

  1. Patch systems regularly.
  2. Run regular external vulnerability scans against systems.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000
When 14 January 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the data controller failed to ensure appropriate technical measures were taken against unauthorised or unlawful processing of personal data stored on the Newwork Platform, such as additional cryptographic controls to protect passwords and regular patching of vulnerabilities.
Known or should have known Various Sony online networks had previously been the subjects of attacks from hacktivist organisations.
Vast amounts of personal data including financial information were stored on the Network Platform, where system vulnerabilities had not been addressed. The data controller should have anticipated a further attack and, given Sony’s technical expertise, should have put the necessary technical measures in place.
Likely to cause damage or distress It should have been obvious to the data controller that the loss of the substantial volume of personal data held on the Network Platform was likely to cause substantial harm or substantial distress to the data subjects.

BW Observations


A lack of basic security practices such as poor vulnerability management and what can only be assumed to be weak password hashes (at a guess, unsalted MD5) are sufficient to justify a MPN, especially when you consider the number of accounts and the attractiveness to an attacker. The amount could be seen as excessive given that no sensitive personal data was compromised, however it has to be remembered that some 77 million records were compromised. It is the sheer volume of the data breach that influenced the Commissioner.

The ICO correctly observed that the poorly-hashed passwords may be able to be used by the attackers to compromise customer’s accounts at other sites where the customer used the same username and password. This appeared to influence his thoughts on the size of the monetary penalty. However it is interesting to consider whether the poor password management practices of consumers should affect how an organisation chooses to value, and therefore protect, stored passwords. Should passwords be valued as a credential for just the single site, or valued (and protected accordingly) because it is known that many customers’ passwords will also be able to be used to access unrelated sites?

It has been reported that Sony intends to appeal the MPN to the Information Tribunal and although an appeal was initially launched, this was later withdrawn.

Leeds City Council

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to 4 data subjects.
When 28 July 2011
Why A support assistant, following council policy and re-using an old envelope for internal mail, failed to cross out the original address and later mistakenly put the envelope in the external post tray. As a result, the document was received by an unauthorised individual.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 95,000
When 16 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, for example using different styles of envelope for internal and external mail, having a peer checking process and providing appropriate training.
Known or should have known The ICO was satisfied that the Council should have known that that there was a risk that the contravention would occur and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The contravention was likely to cause substantial distress to at least one of the data subjects, a vulnerable young person, due to the nature of the data involved.

Devon County Council

Breach details

What Loss of sensitive personal data
How much Personal data relating to approximately 22 data subjects.
When 12 May 2011
Why A social worker prepared an adoption panel report using another family’s report as template. The service users forgot to take the report with them after a meeting and requested it be posted. The report used as a template was posted by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 90,000
When 10 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate organisational measures against unauthorised processing of personal data, such as having a peer checking process for envelopes containing confidential and sensitive personal data and providing appropriate staff training.
Known or should have known Staff working in the People Services department were used to dealing with such cases and the data controller would have been aware of the confidential and sensitive nature of the personal data they were dealing with on a daily basis.
Likely to cause damage or distress The data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may have been further disseminated and possibly misused, even if those concerns do not actually materialise. Many of the affected individuals were considered to be vulnerable.

London Borough of Lewisham

Breach details

What Loss of sensitive personal data (child protection).
How much Personal data relating to an undisclosed number of data subjects.
When 16 March 2012
Why Case papers relating to a child protection matter were taken out of the office in a plastic bag and were mistakenly left on a train.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 12 December 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council had failed to take appropriate measures against the accidental loss of personal data such as having robust policies/ guidelines in place; training for staff who need to take paper files containing sensitive personal data out of the office; providing security locks for bags and using encrypted USBs.
Known or should have known The council recognised that social workers had a business need to take paper files containing confidential and sensitive personal data out of the office and should have put reasonable measures in place to prevent data loss.
Likely to cause damage or distress The data loss would potentially cause substantial distress to individuals including vulnerable children who may know or suspect that their confidential and highly sensitive personal data has been disclosed; and the contravention could have prejudiced the court hearing of the child protection case.

Plymouth City Council

Breach details

What Loss of sensitive personal data (child protection).
How much 2 records.
When 23 November 2011
Why As a result of a printing problem, two seperate reports were taken from a printer by a social worker, treated as single document and passed to a service user.

BW Comments

A control that required a user to enter a code to collect their printout would have stopped this problem happening. Given the sensitive nature of the information printed in a social work environment it is not unreasonable – given the widespread availability and relative low cost of this type of system – to now expect this. Other organisations that frequently print such sensitive information should conduct a risk assessment and look at implementing a manual control (such as peer-review of documents) until an upgrade to their printer software can be deployed.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 60,000
When 19 November 2012

Why the regulator acted

Breach of act Breach of the seventh principle: the council failed to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to provide a more secure way of providing access to printout, given the sensitive nature of the information provided.
Known or should have known The ICO’s view was that the Council should have known that any disclosure of such sensitive information would have the potential to be extremely damaging and accordingly should have had controls in place to minimise the possibility of a beach of confidentiality caused by human error.
Likely to cause damage or distress The information concerned child protection and could have have resulted in “physical harm or blackmail”.

BW Observations

It could be argued that the ICO’s argument for the ‘known or should have known’ test has the benefit of hindsight, however the breach occurred because there were no controls in place and not because a in-place control failed.

Prudential Assurance Company

Breach details

What Data integrity – two customers’ records were merged incorrectly.
How much 2 records.
When March 2007 until 24 September 2010
Why Insufficient steps taken to ensure the accuracy of data once the problem had been reported by both customers.

BW Comments

The breach of the fourth principle was not in respect of the original erroneous merge, but that the Data Controller failed to rectify the problem.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 50,000
When 6 November 2012

Why the regulator acted

Breach of act Breach of the fourth data protection principle – customers’ data must be accurate and kept up to date. Despite repeated notification from both customers, the Prudential failed to adequately investigate of rectify the problem.
Known or should have known The ICO’s view was that Prudential, as “a large company in the financial services sector with approximately six million customers” should have been aware that some customers could share the same name and so should have had processes in place to investigate and rectify such an occurrence when this was reported by a customer.
Likely to cause damage or distress The ICO’s view is that disclosure of financial information to a third party with “no right” to see the information was likely to cause “substantial distress”. Actual damage temporarily occurred in that tens of thousands of pounds, meant for an individual’s retirement fund, ending up in the wrong account and was moved away from the Prudential (although all funds have since been recovered, and compensation paid).

BW Observations

The first MPN in respect of a breach of the fourth principle. Although the ICO’s reasoning in respect of the degree of damage or distress is debateable, what is interesting is the Commissioner’s reasoning in respect of the s55A(3) ‘known or should have known’ test. The ICO’s argument is not that the Prudential should have had sufficient data integrity controls in place to prevent the problem occurring, but given such an error was probable in a company with six million customers, that there should have been robust procedures in place to properly investigate the customers’ complaints and rectify the situation.

Organisations should consider whether they have the necessary training and systems in place to recognise that what might appear as a simple change of address problem in a front-line system to be identified and investigated as a potential breach of integrity.

Stoke-on-Trent City Council

Breach details

What Loss of sensitive personal information.
How much 11 records.
When 14 December 2011
Why 11 unencrypted emails relating to a child protection case were sent to the wrong email address by mistake.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 120,000
Enforcement notice issued to ensure that a training program to make staff aware of data protection security procedure is arranged within 35 days.
When 25 October 2012

Why the regulator acted

Breach of act Failure to take appropriate technical and organisational measures against unauthorised processing of personal data, in particular a failure to train employees appropriately and provide a secure means of sending email.
Known or should have known Staff were used to handling confidential and sensitive personal data and the danger of sending unencrypted email, which the data controller was aware was occuring, should have been self evident.
Likely to cause damage or distress Data was confidential and highly sensitive and related to an ongoing legal case.

Greater Manchester Police

Breach details

What Loss of sensitive personal data relating to criminal activities.
How much 1,075 records
When 17 July 2011
Why Theft of an unencrypted memory stick from an officer’s home.

BW Comments

It is really hard to stop the use of unencrypted media unless its use is blocked by an endpoint protection software and encrypted USB drives are issued to everyone that needs them. Having a written policy that is not enforced is useless.
This is most clearly illustrated by paragraph 8 of the Monetary Penalty Notice: after the security breach the police force had an ‘unencrypted USB memory drive amnesty’ and recovered 1,100 such USB drives – despite having a policy stating that such drives should not be used.

Regulatory action

Regulator ICO
Action Monetary penalty of £150,000.
When 13 September 2012

Why the regulator acted

Breach of act A number of officers across the force regularly used unencrypted memory sticks, which may also have been used to copy data from police computers to access away from the office.
Known or should have known Despite a similar security breach in September 2010, the force had not put restrictions on downloading information, and staff were not sufficiently trained in data protection.
Likely to cause damage or distress The memory stick contained highly sensitive personal data relating to people with links to serious crime investigations.

BW Observations

Given the apparent endemic use of unencrypted media by the force the fine appears to be on the low side of what the commissioner could have levied. The ICO reported the MPN when it was paid, as the original date of issue coincided with the loss of two of the force’s police officers.

Norwood Ravenswood Ltd

Breach details

What Loss of sensitive personal data.
How much Four records.
When 5 December 2011
Why A Social Worker left background reports relating to four young children outside the home of prospective adopters in a concealed place, since they were not in. When the prospective adopters arrived home about 30 minutes later the package had disappeared..

Regulatory action

Regulator ICO
Action Monetary penalty of £ 70,000
When 10 October 2012

Why the regulator acted

Breach of act Despite an existing policy, there was no specific guidance relating to sending personal data to prospective adopters. The social worker in question had not recieved any data protection training, despite a commitment to it being provided existing in the data controller’s policy.
Known or should have known The data controller had an overarching data protection policy which staff were aware of, even if specific guidence was not given. The sensitivity of staff’s work would have been self evident.
Likely to cause damage or distress The background reports contained detailed, confidential and highly sensitive personal data relating to the children and their birth families, including medical histories and details of any abuse or neglect. At this time, the reports have not been found.

Scottish Borders Council

Breach details

What Loss of sensitive personal data.
How much 676 records.
When 10 September 2011
Why A member of the public noticed that a paper recycling bank had been overfilled with discarded files that contained personal information. Investigation showed that eight boxes containing 676 files had been deposited in the recycling bank by a data processor working for the council.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 250,000£ 0
Overturned on appeal to the Information Rights Tribunal
When 11 September 2012

Why the regulator acted

Breach of act There was no contract in place between the data controller and the data processor. Documents scanned for the data controller by the data processor should have been disposed of securely, or returned in person.
Known or should have known The data controller was holding confidential and sensitive personal data relating to its employees, including financial data and details of a pension scheme. The seriousness of such data should have been self evident.
Likely to cause damage or distress Financial and Medical data. The arrangement had been in place since 2005 and approximately 9000 pension records would have been processed and possibly incorrectly disposed of.

Appeal

The MPN was overturned on appeal to the Information Tribunal.
View PDF of the Scottish Borders Council Appeal (Information Tribunal)