ICO confirms it will quiz Sony over PSN

By Wesley Yin-Poole Published 27 April, 2011

Did Sony properly protect our data?

The Information Commissioner's Office will quiz Sony over the theft of millions of PlayStation Network users' personal data, Eurogamer can reveal.

It intends to ask the company questions over the possible theft of millions of users' credit card information - and find out whether it properly protected gamers' data.

"The Information Commissioner's Office takes data protection breaches extremely seriously," the organisation told Eurogamer this morning.

"Any business or organisation that is processing personal information in the UK must ensure they comply with the law, including the need to keep data secure.

"We have recently been informed of an incident which appears to involve Sony. We are contacting Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office."

Sony is facing accusations that it should have alerted its customers to the possibility that their credit card information had been stolen earlier than yesterday. Security codes have not been taken.

Sony is encouraging customers to check their credit card statements and be on the look out for scam emails and letters.

But questions have this morning arisen over the steps Sony took to protect our information.

The fact that user passwords have been "obtained", as Sony puts it, suggests Sony stored user passwords as plain text – and did not encrypt them.

Earlier this morning Eurogamer revealed UK gamer rights group Gamers' Voice plans to contact the ICO over the security breach.

Sony has pledged to track down the hacker responsible.

Picture of Wesley.

About Wesley Yin-Poole

Wesley is Eurogamer's news editor. He likes news, interviews, and more news. He also likes Street Fighter more than anyone can get him to shut up about it.

Read more articles from Wesley by visiting the Wesley Yin-Poole archive page.

You may also like...

Comments (52) Latest comment 1 year ago

Comments for this article are now closed, but please feel free to continue chatting on the forum!

  • TopKatt #1 1 year ago

    Good, I bet Shadows of the Colossus has a few questions it wants answered as well.

  • Raz76 #2 1 year ago

    And if they can't answer he'll poke them with his horns (damn, someone beat me to the ICO gag!)

  • rotmm #3 1 year ago

    Unfortunatelt, The Last Guardian wasn't in place in time to stop the hackers.

  • thewool #4 1 year ago

    This is the Last Guardian, I mean straw....


    ... IGMC

  • TheEarlOfZinger #5 1 year ago

    How can they track them down? genuinely interested.

  • AbyssUK #6 1 year ago

    I hope Sony is punished under the full extent of the law, a company with it's knowledge and funds should have a water tight system.. no excuses. It appears that the hackers used old exploits on breathtakingly old systems, this could all have been prevented with standard good simple IT practises. Sony have failed all their customers big time through lack of care.

  • Quak #7 1 year ago

    Wow, who stores passwords as plain text these days?

  • GamesProgrammer Verified Games Team Programmer, Eutechnyx Ltd. #8 1 year ago

    @AbyssUK

    Could you list your sources for that information or are you making it up? Im sure if your not ICO would be interested to know about it.

  • LazyDan #9 1 year ago

    LazyDan/norks

    Apparently you have to start each comment with your username and password on Eurogamer now. I hope it's encrypted properly.

  • RexRunti #10 1 year ago

    /wonders if EG are quickly checking their servers to ensure passwords aren't stored in plain text...

    Edit: PS: There is no excuse for storing passwords in plain text.
    Edited by RexRunti at 27/04/11 @ 11:03

  • Freek #11 1 year ago

    @7 The same company that used a single number string inplace of a random one in it's DRM system.

  • Architect_z #12 1 year ago

    @TopKatt

    Dammit I so wanted to use that joke! Damn you for being the first comment!!!

  • tomkuryakin #13 1 year ago

    TopKatt, top gag.

    God knows I need a laugh right now.
    Edited by tomkuryakin at 27/04/11 @ 10:59

  • JoeGBallad #14 1 year ago

    Actually, this could have happened to any company. Doesn't matter how 'tightly' you secure this kind of information, it can always be hacked into.

    However, I am not defending Sony one bit. It is shocking that they kept us in the dark for so long. Not only that, even if they only did find out on Monday that customer details were taken, they should have told us all straight away, not a day later.

    AND EVEN THEN, the various websites reporting this have been saying Sony are sending emails to all PSN users, but I haven't recieved one yet. So if I wasn't checking these websites every day, I would still be completely in the dark about what has happened to my personal details.

    It's truly shocking.

  • TheRook21 #15 1 year ago

    @Architect_Z

    That's why he's the indisputable leader of the gang...

  • berelain #16 1 year ago

    Puns gratefully received. TopKatt, Romm, thewool... well played.


    EDIT: @JoeGBallad - my US account got an email this morning from Sony..or rather, the same email, badly formatted, twice. My UK account has yet to receive a thing.
    Edited by berelain at 27/04/11 @ 11:04

  • JoeGBallad #17 1 year ago

    @berelain that'd be funny if it wasn't totally expected by the games industry.

  • Widge #18 1 year ago

    YOORRRR
    YOORRRR
    EN TOI?
    EN TOI?

  • Bigmac1910 #19 1 year ago

    Just cancelled my Debit Card, not sure if I will ever give Sony the new one, going to buy some Playstation Network Cards if I really want something.

  • Murton #20 1 year ago

    "The Information Commissioner's Office takes data protection breaches extremely seriously," the organisation told Eurogamer this morning."

    Cough *PlusNet* cough. They sent customers personal information to ACS Law in an unprotected speadsheet and you didn't ask them a damned thing, same goes for Sky who handed over data without permission of court order, albeit with encryptions. The OIC is also yet to act on the practice of selling personal information given in good faith so I'm calling BS on their intentions. It would appear that they're more interested in upholding the law with regards to protection of the data and the issuing of large fines than actually tackling the issue of how people's personal data is handled by businesses, which is actually supposed to be its core job, not upholding the DPA.

  • RexRunti #21 1 year ago

    To be fair, even if Sony are sending 100 emails every second it will take the best part of 9 days to send all 77 million.

    That said whilst any company can get hacked it is quite clear that Sony did not even have even basic security measures in place (e.g. storing passwords as a salt + salted hash) so deserve the anger directed at them.

  • ron_aldo #22 1 year ago

    I am a web/application developer and I know it is very easy to encrypt passwords before they are inserted into the database. It should be standard practice and we do it regardless of how sensitive the information is. But having said that we have contracted work out sometimes and they haven't encrypted passwords on the database server

  • disappointed #23 1 year ago

    "We have recently been informed of an incident which appears to involve Sony."

    They're well on top of this...

  • Snufkin #24 1 year ago

    Didn't Geohot say that his hacks were using an exploit that really shouldn't have been there and essentially made the whole system exploitable? I know literally nothing about hacking, security etc so am not qualified to judge anybody on this, but if Sony are found to have been resting on their laurels in the arrogant presumption that they wouldn't be targetted by super-villain geniuses then they need to have their knuckles severly rapped.

    It seems that ID-theft insurance I just took out was timely.

  • cw- #25 1 year ago

    @Joe

    AND EVEN THEN, the various websites reporting this have been saying Sony are sending emails to all PSN users, but I haven't recieved one yet. So if I wasn't checking these websites every day, I would still be completely in the dark about what has happened to my personal details.

    It takes A VERY long time to send 75million emails...

  • RexRunti #26 1 year ago

    To be honest I'm more interested in what the ICO equivilents in other countries do the ICO over here will just say "don't do it again" and leave it at that.

  • bemaniac #27 1 year ago

    These breaches can be fined upto 10% of annual turnover which would lead to massive scalebacks and branch closures.

  • AbyssUK #28 1 year ago

    @GamesProgrammer : - Firstly http://www.vg247.com/2011/04/27/supposed... not confirmed all true but still very believable.

    Secondly its always because the company doesn't upgrade it's systems they get hacked, that's how 95% of 'hacking' works.. use known exploits on none up to date systems. Sony have the money and resources to have 0day even 0hour patching in place and the cpu power to use high end encryption techniques it seems they didn't. As otherwise think about it they would be telling everybody its ok the data stolen was encrypted and would take them 10^17 years to brute force.. but guess what they haven't so guess what... it's either badly encrypted or not encrypted at all.

    Also if its taken them a week to work out what has actually been taken, then they aren't going to find who did this, but I bet a scape goat gets conjured up from somewhere...

  • callum9999 #29 1 year ago

    AbyssUK - Should have a watertight system? Surely the system can only be as good as the person who designed it, and as long as there is someone smarter out there (or similarly smart and very determined) it can be hacked.

    I seem to remember the US military/Pentagon got hacked by a bedroom hacker here in the UK (no idea to what extent, but it was definitely breached). Surely they would have stronger protection than a gaming network?

    You can never be completely safe when the internet is involved.

  • axman303 #30 1 year ago

    Have you noticed how the UK version of Sony's announcement does not include links to on-line credit check agencies like the US version does? Presumably because in the UK it costs £2 for a standard check, whereas in the USA you may have one credit-check per year free by law. So I guess they don't want to be held liable for this £2 standard credit check cost? Perhaps ICO or some other body should demand that Sony pay for customers credit checks in the UK?

    UK Announcement (lacking credit check links):
    [link url=http://uk.playstation.com/psn/news/articles/detail/item369506/PSN-Qriocity-Service-Update/
    ]http://uk.playstation.com/psn/news/artic...[/link]

    USA Announcement (with credit check links):
    [link url=http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/
    ]http://blog.us.playstation.com/2011/04/2...[/link]

  • Freek #31 1 year ago

    Looking at the clues: passwords stored as plain text, the entire network needing to rebuilt (presumably from something insecure to something that is secure) and the sheer volume of stolen data, it woulden't be to strange to assume something is verry deeply worng at the core with PSN.
    That it wasn't properly secured to begin with.
    Edited by Freek at 27/04/11 @ 11:32

  • djed #32 1 year ago

    Sony will be quite displeased with this article, seeing as you've called Playstation network users "gamers", when the Playstation in fact is a Home Entertainment Machine(tm)(r)(c), capable of becoming your one-stop for all your home entertainment system needs. Thus it prefers you call its users with the tasteful moniker "defrauded suckers".

  • TheEarlOfZinger #33 1 year ago

    DcP729UK

    Interesting, thanks. I'd want to see this person/people punished to the full extent but Sony should also be accountable if they have not done their jobs properly in any way.

    Just a sad situation all round.

  • Murton #34 1 year ago

    "To be honest I'm more interested in what the ICO equivilents in other countries do the ICO over here will just say "don't do it again" and leave it at that."

    Ours can impose fines and serve improvement notices, if the company in question fails to meet the requirements of the improvement notice then they are likely to be found to be grossly negligent and can be prosecuted. Other countries have similar consequences but the criteria varies.

    The reaction from the US and EU will be the ones to watch, they'll be slower to move than our OIC but they can bring the hammer down much harder. When MS fell foul of the EU Competition Commission a few years ago they were served an improvement notice with a 100 million Euro per day fine until the criteria of the notice was met, that's a serious consequence of bad business actions.

  • AbyssUK #35 1 year ago

    @All - please there is such thing as a water tight system, and that is a system which is constantly changing, constantly evolving it is possible to design such a system as many are in place today.... and seriously the pentagon 'hacks' by that uk bedroom hacker (gary mckinnon) are a joke.... technically not even hacking he just attempted to get in using blank admin passwords on unsecured windows PC and the real news was on the .mil address he found some!! now they want to throw HIM in prison and not the idiot IT admins/technicians who set a friggin' blank admin password on a military class machine.

    Yes a very very good crew could break open any system, but it would take them a long time and need lots of custom coded exploits and cpu power (supercomputer/highly populated cloud level cpu power)

  • miufs #36 1 year ago

    Is it too late to do an ICO (the game) gag?

    Please say no.

  • bluetoothion #37 1 year ago

    @Abyss UK

    Everyone wants better security i assure you but you want Sony ( or put any other company name if occurs) punished to the extend of the law??? for another ones ILLEGAL action???

    If i leave my home window open and you steal from me? I m the one who should be punished??? jeeeez

  • AbyssUK #38 1 year ago

    @bluetoothion - Am not saying what the hackers did was right at all. They are in the wrong but.. lets say you lent me your TV, I put it in my house next to the window and left the window open and somebody took it... would you want me to replace the TV ? of course you would because I didn't look after what was yours well enough, I should have closed the window.

    Now times that by 77 million and I'd call it criminal negligence on a massive scale.

  • Ryze #39 1 year ago

    Just cancelled my card.

    [link url=http://www.techradar.com/news/gaming/sophos-psn-users-should-cancel-credit-cards-immediately--948352
    ]http://www.techradar.com/news/gaming/sop...[/link]

    Sony can't 'do' networked software and services.

  • rare_uk #40 1 year ago

    @miufs "Is it too late to do an ICO (the game) gag?

    Please say no.

    Quick head on over to here and crack it....zero comments atm
    Edited by rare_uk at 27/04/11 @ 12:16

  • CaptainKid #41 1 year ago

    Simple question:
    What is The Information Commissioner's Office?

    An UK agency or European?
    What does it do?

  • bluetoothion #42 1 year ago

    we all signed an online agreement with sony so any legal claims surviving that will not fall ( if or when actual CC compromise or actual consumer damage is proven) but what when i saw your post along with so many others ofcourse made me wonder how on earth can people put more blame the victim and than the culprit

    One or two weeks out of psn is a major loss for sony as well ( not that we care) ....but i see rage,?rage? from people which is irrational....thats why i got to the example with the window. Because we lost focus on the potencial crime ( some even praised robin hood hackers some days ago) and kept focus on the obvious lack of proper security to sensitive data eventhough personally i find it hard to believe its as poor as people yell because it wouldn't be 2011 since it happened.

  • lostlain #43 1 year ago

    surely obtaining passwords could also just mean they god the hashed passwords? Still not good, but totally different to plain text.

  • Murton #44 1 year ago

    "What is The Information Commissioner's Office? "

    It's a UK based regulator that's supposed to make sure that organisations within the UK use our personal data appropriately, it's also the independent body in this country that authorises the use of surveillance but in in the last two years or so it's decided to act as judge jury and executioner on Data Protection issues and stopped bothering with its core duties to the public.

    EDIT: @lostlain - exactly, we don't have the full facts right now, just a lot of assumptions. We don't even know if the alleged hackers actually downloaded any data, only that they breached the server where those details were held. Best thing to do is play some single player games and wait for the next update. Hopefully Sony and their security contractors can piece together more of the alleged hackers actions and confirm what he did and did not do and perhaps allay some of these fears.
    Edited by Murton at 27/04/11 @ 13:09

  • levitate #45 1 year ago

    -"We have top men working on this."
    -"Who?"
    -"Top. Men."

  • tiny_Eggy #46 1 year ago

    Biggest commercial security breach ever?

    "The fact that user passwords have been "obtained", as Sony puts it, suggests Sony stored user passwords as plain text – and did not encrypt them. "

    There is really not s single shred of evidence to support this claim though.

  • CaptainKid #47 1 year ago

    thx Murton

  • Mister-Wario #48 1 year ago

    "Actually, this could have happened to any company. Doesn't matter how 'tightly' you secure this kind of information, it can always be hacked into".

    True, but you can make it a lot harder for hackers to do so. I mean, when you go out you lock your front door. Sure, if a person is determined enough they'll find a way in but it's going to be much trickier.

  • azic #49 1 year ago

    Sony are twats... this is such a fail... I don't think some of you realise how bad this is.
    I had my wallet stolen, it had my driving license in it which has name address etc on it. Only saving grace is it also has a picture of my ugly mug on it.
    Anyhow I have had several applications for credit on in my name. I have to watch my credit score like a hawk now. Its costing me £15 a month just to keep an eye on it and I am the victim here.

    This is really bad people get checking.

  • bebox2010 #50 1 year ago

    I want BF3 for free. And the actual head of the hacker. It's the least Sony can do lol

  • Murton #51 1 year ago

    "True, but you can make it a lot harder for hackers to do so. I mean, when you go out you lock your front door. Sure, if a person is determined enough they'll find a way in but it's going to be much trickier."

    House analogies don't work very well when talking technical. You're saying that server defences are like locking the door to your house, that's fair enough, but if someone breaks down the door and steals everything would you accept the blame as the owner of the house or would you expect to treated with sympathy and respect as the victim of a crime?

    I'm not saying Sony are blameless because I don't know, but at the same time we shouldn't blame them either because we just don't know. One thing we do know is that if someone did hack the server, that guy deserves the full blame for the act. We can then get on Sony's back about any failings on their part once we know for certain that they have failed in some way.

  • Raz76 #52 1 year ago

    Widge:
    "YOORRRR
    YOORRRR
    EN TOI?
    EN TOI?"

    Not a lot of people have played ICO apparently, or they'd have found that funny :-D