Sony drops PSN breach appeal after risk assessment

Sony, entertainment giant and the company most noted in the security world as the source of a massive breach that impacted millions of accounts in 2011, has said they will abandon the appeal that was filed with the Information Commissioner's Office (ICO) in the U.K., due to security concerns. The move means they will pay the £250,000 fine ($377,400) levied against the company earlier this year and walk away from the table.

Unknown hackers hit Sony's network gaming service for PlayStation 3 consoles in April 2011, penetrating the system and stealing personal information from the roughly 77 million accounts on the PlayStation Network and sister Qriocity service.

The ICO slapped Sony with the fine in January, after finding them lacking when it came to Information Security standards. The ICO said the breach could have been prevented had Sony maintained proper security controls, including up-to-date software, as well as strengthened password controls and data protection processes.

[Related: The 15 worst security breaches of the 21st century ]

"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didnt happen, and when the database was targeted -- albeit in a determined criminal attack -- the security measures in place were simply not good enough," ICO Deputy Commissioner, David Smith, said in a statement at the time.

The fine was a hefty one, and the ICO made no apologies for it. However, because the data breach occurred during a massive DDoS attack, which required Sony to pull the PSN offline, and because it was -- in Smith's words -- "a determined criminal attack," Sony pledged to fight the fine and filed an appeal.

In their defense, Sony noted that criminal attacks on electronic networks are real and worked to fix the security problems by hiring someone to take charge of the Information Security arena within the company, and by essentially rebuilding the PSN from the ground up.

However, according to the company, they have instead elected to pay the fine and put the issue behind them. Company officials cited risk as the reason why they decided not to pursue the appeal.

In a statement to the media, a Sony spokesperson said that after some consideration, the company opted "to protect the confidentiality of our network security from disclosures in the course of the proceeding."

"Sony is making a good security conscious decision to drop the appeal and pay the fine. The first step to defeating security is knowing the type of lock on the door. By not disclosing the nature of those locks, following the rebuilding of its network platform, Sony is withholding intelligence on its defenses from malicious hackers," Grant Redmon, the General Counsel and VP of Business Development for Co3 Systems told CSO.

Sill, while they are willing to pay to protect their infosec secrets, their overall stance on the fine didn't change.

"We continue to disagree with the decision on the merits," the spokesperson added.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitysony

More about CounselCSOICOSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts