ICO To Investigate UK Effects Of Sony Data Breach

The Information Commissioner’s Office (ICO) is investigating the recent Sony network breach with a view to taking action on behalf of the company’s three million registered UK users.

An ICO spokesperson said, “The Information Commissioner’s Office takes data protection breaches extremely seriously. Any business or organisation that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure.”

Another Week Of Silence

Sony has admitted losing 77 million user records in a security breach on 20 April. The company immediately closed down both its Playstation Network and the Qriocity music service but it has come under heavy criticism for not revealing the reason to its customers until a week later.

The ICO commented, “We have recently been informed of an incident which appears to involve Sony. We have contacted Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office.”

The commissioner has, however, been criticised lately for a weak showing when it comes to fining companies that contravene the Data Protection Act. In the past year, despite several hundred reported breaches, only four companies have been fined. The penalties amount to a total of £310,000 despite the ICO having the power to levy up to £500,000 in any single action.

Sony now claims that the payment card details, which it maintains may or may not have been stolen, were encrypted. This alleviates some of the pressure, both from the UK and US governments, but analysts feel that, in this case especially, encryption is not enough.

“Sony has said the data was encrypted, but in some ways this is even more disturbing,” said Bill Tarzey, analyst and director at Quocirca, “the thief must have had access to the keys, suggesting a level of privileged users access and authentication had been achieved. It seems Sony is also unsure what has actually been accessed which implies data access auditing measures were not in place.”

Sony has said that the personal details and the payment card information were stored in separate databases but still seems unsure whether any card details were stolen. It estimates that the websites will be down for at least another week while its data infrastructure is moved to “a new, more secure location”.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • I think there is a lesson to be learned from Sony in terms of data breaches. If you were a user of the PlayStation network there's some free professional security advice here: http://bit.ly/mP23hU
    I'm really interested to see what the ICOs next actions are going to be on this case...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago