...the attack could have been prevented if the software had been up-to-date, while technical developments also meant passwords were not secure.
The monetary penalty notice describes the background and the ICO's reasoning but is heavily redacted. Apparently the intrusion and theft of data occurred as a result of attack that exploited unpatched software to gain access to personal and business data, including insecurely stored passwords. It is a great pity the monetary penalty notice has had redactions, since other ICO similar notices and undertakings don't seem to be able to have this benefit, and neither do organisations issued with enforcement notices by the FSA.
SCEE are allowed an early payment discount of 20% if the monetary penalty is paid by 14th February 2013, but it is widely reported that Sony are to appeal against the decision. But I am not sure that whether it was "a focused and determined criminal attack" or not makes any difference as to the requirement for baseline security measures. Also that "there is no evidence that encrypted payment card details were accessed" and that "personal data is unlikely to have been used for fraudulent purposes" doesn't mean there wasn't a breach of the Data Protection Act 1998.
Posted on: 25 January 2013 at 08:35 hrs