Bristows client Sony Computer Entertainment Europe (SCEE) has been fined £250,000 by the Information Commissioner’s Office (ICO) after hackers gained access to the personal details of millions of online gamers via the PlayStation Network in 2011.
The data watchdog said on Thursday that the privacy breach was “one of the most serious ever reported to us” because it exposed such a huge number of users – reportedly more than 70 million – to the risks of identity theft.
“If you’re responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority,” concluded ICO director of data protection David Smith. “In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.”
The fine, understood to be the third-largest penalty ever imposed by the ICO, concludes an investigation that started in April 2011, when hackers took down the online version of Sony’s PlayStation.
In-house solicitor Catherine Devitt, who has worked for the data regulator since 2002, was the lawyer who led on the investigation.
It is understood that Bristows, a longstanding adviser to Sony Computer Entertainment Europe (SCEE), has been the lead adviser to SCEE during the investigation, with IT head Mark Watts expected to be in charge of an external legal team. However, both Sony and Bristows declined to comment directly.
In a statement sent to The Lawyer, Sony said: “Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal.
“Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient.”
SCEE rebuilt its Network Platform following the breach, which exposed users’ passwords, payment card details, names and addresses to hackers.