by Edd Hardy
In 2011 Sony was attacked a number of times and suffered huge breaches, breaches that were headline news around the world. Sony made a number of very simple, basic, fundamental errors, errors that not only helped the attack happen but also made it so much worse. For example passwords were not encrypted meaning that attackers could read the passwords, which users could well have used elsewhere. It took Sony time to notice the attack, and it only became public knowledge when hackers started publishing content from databases and bragging.
At its worst, the network was shut down, meaning the 77 Million registered users , simply couldn't use the service. The cost to Sony must have been huge, forensic costs, fixing the problem, downtime, reputation damage. It was a humiliating experience for Sony, the CEO of Sony bowed to the media and made a formal apology. It was such a serious event that Sony had to explain it to Congress in the USA. Photo of them bowing in shame, http://venturebeat.files.wordpress.com/2011/05/sony-bow-1.jpg?w=558&h=9999&crop=0
In the UK the ICO (Information Commissioner Office) has condemned Sony, the very valid point being made , is that Sony are a highly technical company, they trade on their technical knowledge. If you read the text of the penalty notice (/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx) It states that the breach was probably because a vulnerability existed but that fixes and updates existed for that issue prior to the attack and were not applied. In other words, the network wasn't patched.
The most disappointing bit in this whole series of events, is that the ICO says this is one of the most serious events ever reported to them, yet the fine is £250,000. Thats its, £250,000. Thats hardly going to be an issue for a company the size of Sony, its not a punishment its a mere inconvenience. However it gets worse, reading the text of the judgment, it turns out that ICO fines are like parking tickets. If you pay early, you get a discount. If Sony pay by the 13th of February they get 20% off, so it becomes £200,000.
The fine seems wrong on so many levels. The ICO can level a fine of up to £500,000 but even that wouldn't exactly hurt Sony. It seems fundamentally wrong that something that effects so many people deserves such a small fine. If you look at some of the other fines it seems even worse. The London Borough of Barnet was fined £70,000 after it lost details of 15 vulnerable children. The records were stolen when someone physically broke into an employees house. Absolutely that is a breach that could have been avoided, e.g by not having paper records. But fining a council that is desperately short of cash £70,000 , which will have a detrimental effect on front line services and probably wont help information security (they now have 70k less to spend on things like encryption) seems unfair when you look at fining Sony something that will be a fraction of what they have spent on legal fees!
The media are already reporting that Sony intends to appeal against this judgment.
This sums up the attitude to security in many companies and indeed the country. If huge multinational companies have a totally avoidable breach that has an impact on a huge number of customers, and they are fined in such a minimal way, is there any point in the fine at all? Is it going to encourage other companies to secure their systems and prevent breaches?