ICO criticized Sony for the techniques it used to protect user’s credentials and said that even though the attack was a targeted one, a company that deals with technology should have at its disposal such expertise that could have prevented the attack. The breach led to exposure of email addresses, date of birth, passwords, etc. of millions of customers and according to the ICO, payment details of customers were also at risk.
Deputy Commissioner, ICO, David Smith stressed that if a company is responsible for and deals with payment card details and log-in credentials of its customers, it should have protection of such information as its highest priority.
Smith said in a press release, "It [Sony] is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
"The penalty we've issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft," he added further.
Sony isn’t planning to sit this one out quietly as it is intending to appeal against the ruling as the ICO has itself pointed out that the data loss was because of a "focused and determined criminal attack".