On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) served Sony Computer Entertainment Europe Limited (“Sony”) with a monetary penalty of £250,000 resulting from a serious breach of the Data Protection Act 1998. An April 2011 security incident involving the Sony PlayStation Network Platform affected the personal data of millions of customers, including names, addresses, email addresses, dates of birth, account passwords and credit card details.
Commenting on the seriousness of the case, ICO Deputy Commissioner David Smith said “[i]f you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn’t happen…the security measures in place were simply not good enough.”
The monetary penalty notice indicated that the affected personal data were “unlikely to have been used for fraudulent purposes,” and that no complaints had been received to date. Sony has since completely rebuilt the PlayStation Network Platform to improve the security of stored personal data.