An attack on 77 million PlayStation Network users "could have been prevented," according to the Information Commissioner's Office (ICO), which has fined Sony £250,000 for the "serious breach" of the Data Protection Act.
Sony has issued a statement saying it "strongly disagrees" with the fine and is planning to appeal its severity. "Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient," a spokesman told the BBC.
Between 17-19 April, 2011 a group of hackers attacked the PlayStation Network and managed to access the personal information of up to 77 million customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers' payment card details were also at risk.
Sony shut down the network on 20 April, but the ICO has this morning blamed Sony for using out-of-date software and insecure passwords. While no group claimed credit for the attack - and hacktivist group Anonymous denied responsibility - it is believed the attack was retribution for Sony suing hacker George Hotz, who had discovered a way of hacking his PlayStation 3.
David Smith, deputy commissioner and director of data protection, said: "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."
Smith acknowledged the severity of the fine, but said he made "no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft."
Sony has since rebuilt the PlayStation Network platform to be more secure, something Smith believes should have been done prior to the breach:
"There's no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
Following the breach, Sony publicly apologised to all customers, with senior Sony executive bowing in public to show their remorse. The company also gave customers a "Welcome Back" package including free PlayStation 3 and PSP games.
The ICO said one good effect of the hack was that 77 percent of consumers were more cautious about giving their personal details to other websites following the PSN breach. "Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to," Smith added.
Under the UK's Data Protection Act, Sony could have faced a fine of up to £500,000.