• United States



Senior Staff Writer

Sony drops PSN breach appeal after risk assessment

Jul 15, 20133 mins
CybercrimeData and Information SecurityNetwork Security

PlayStation creator decides to pay hefty fine for 2011 data breach, cites confidentiality of network security as reason for walking away from appeal

Sony, entertainment giant and the company most noted in the security world as the source of a massive breach that impacted millions of accounts in 2011, has said they will abandon the appeal that was filed with the Information Commissioner’s Office (ICO) in the U.K., due to security concerns. The move means they will pay the £250,000 fine ($377,400) levied against the company earlier this year and walk away from the table.

Unknown hackers hit Sony’s network gaming service for PlayStation 3 consoles in April 2011, penetrating the system and stealing personal information from the roughly 77 million accounts on the PlayStation Network and sister Qriocity service.

The ICO slapped Sony with the fine in January, after finding them lacking when it came to Information Security standards. The ICO said the breach could have been prevented had Sony maintained proper security controls, including up-to-date software, as well as strengthened password controls and data protection processes.

[Related: The 15 worst security breaches of the 21st century ]

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didnt happen, and when the database was targeted — albeit in a determined criminal attack — the security measures in place were simply not good enough,” ICO Deputy Commissioner, David Smith, said in a statement at the time.

The fine was a hefty one, and the ICO made no apologies for it. However, because the data breach occurred during a massive DDoS attack, which required Sony to pull the PSN offline, and because it was — in Smith’s words — “a determined criminal attack,” Sony pledged to fight the fine and filed an appeal.

In their defense, Sony noted that criminal attacks on electronic networks are real and worked to fix the security problems by hiring someone to take charge of the Information Security arena within the company, and by essentially rebuilding the PSN from the ground up.

However, according to the company, they have instead elected to pay the fine and put the issue behind them. Company officials cited risk as the reason why they decided not to pursue the appeal.

In a statement to the media, a Sony spokesperson said that after some consideration, the company opted “to protect the confidentiality of our network security from disclosures in the course of the proceeding.”

“Sony is making a good security conscious decision to drop the appeal and pay the fine. The first step to defeating security is knowing the type of lock on the door. By not disclosing the nature of those locks, following the rebuilding of its network platform, Sony is withholding intelligence on its defenses from malicious hackers,” Gant Redmon, the General Counsel and VP of Business Development for Co3 Systems told CSO.

Still, while they are willing to pay to protect their infosec secrets, their overall stance on the fine didn’t change.

“We continue to disagree with the decision on the merits,” the spokesperson added.