The UK's Information Commissioner's Office (ICO) has announced that they'll be assessing a penalty of £250,000 on Sony for the 2011 hack that affected 77 million accounts around the world. This is by far the largest monetary penalty the UK's data privacy watchdog has handed out. As usual, a little encryption and other pillars of data security would have ensured avoiding such a penalty. Or being the poster boy for bad data security practices.
If you haven't heard of it (and I must question how you couldn't have), Sony experienced a data breach in 2011. You can read details by following that link, or by reading the ICO's Monetary Penalty Notice for Sony.Long story short, Sony got lambasted around the world. The public has never truly gotten details (although privacyrights.org shows that the incident affected 101.6 million and 12 million unencrypted credit card numbers).I thought we'd finally get some facts regarding the breach, but as you can see from the monetary penalty notice, there's a lot of blacked-out content. "Why?" one wonders. Why can't we know how many Britons were affected but are allowed to know that Sony will have to cough up £250,000? Only the ICO knows, although if you ask me, it makes absolutely no sense. It's not as if the ICO has never revealed before how many people were affected by a data breach.
We generally tend to discuss on this blog issues relating to disk encryption and smartphone mobile security. Now, such solutions wouldn't really have a bearing in the Sony hack. However, the engine that powers full disk encryption and mobile device management and security – cryptography – does.Take, for example, the 12 million unencrypted credit card numbers. Whose bright idea was that? PCI-DSS rules – those governing the charging and storing of credit card numbers by merchants – prohibit the storage of card numbers unless they are protected with encryption. And even then, merchants are forbidden from storing the security codes found in the back of cards (and nowadays required for online transactions).But even if official rules and regulation are not in place, it only makes sense to protect those suckers and encrypt them.I mean, haven't you heard? There are hackers out there!
The ICO has the power to fine companies that breach the Data Protection Act, up to £500,000. In comparison, £250,000 looks like pittance, especially when you consider how much revenue Sony rings up each year.The ICO has revealed time and again that it's reserving its right to do so until the right case comes along. One would imagine that a company that was remiss in safeguarding data and experienced a data breach that affected people all over North America, South America, Asia, Europe, Oceania, and parts of Africa would be a shoo-in for the top penalty.On the other hand, the UK's jurisdiction ends in the UK. Again, we don't know how many Britons were affected, but it must be significantly smaller than 100 million. I guess they could be waiting until a breach hits every single person residing in the UK....