Sony has been fined by the U.K.’s data protection watchdog for the April 2011 data breach of the PlayStation Network which compromised the personal details of millions of users. The Information Commissioner’s Office (ICO) has fined the company close to $400,000 (£250,000) for the breach, describing it as “a serious breach of the [U.K.'s] Data Protection Act” (DPA).

The PlayStation Network hack compromised users’ names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk, according to the ICO, which — having investigated the event — has concluded that the hack attack could have been prevented if Sony’s software had been up-to-date, while  ”technical developments” also meant passwords were not secure.

The ICO is empowered to levy a fine on companies if there is a serious breach of section 4(4) of the DPA which states:

(4)Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.

Commenting on the fine, David Smith, Deputy Commissioner and Director of Data Protection, said Sony — a company that was processing card payments for its service — should simply have “known better”.

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough,” he said in a statement. “There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”

Smith described the penalty on Sony as “substantial”, adding: “The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.”

Article courtesy of TechCrunch

Google has been in ongoing discussions (some might say a war of words) with The UK’s Information Commissioner. If you remember, Google’s street cars captured all sorts of information other than just pictures, like WiFi nodes and even IP traffic, when they drove around. Google is dealing with multiple cases across Europe with various public bodies about this.

Today Google confirmed that it had located additional payload data collected by its Street View cars prior to May 2010 and the ICO, which has repeatedly asked Google to delete the extra data, has thrown a few choice words in Google’s direction.

While the ICO’s head of enforcement Steve Eckersley wrote in his reply to Google that he was “grateful” for the information about the data, and noted Google’s “commitment to continued cooperation with the ICO on this matter,” it’s not all hearts and roses.

The ICO says this data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010, according to the ICO.

In their letter to the ICO today, Google said they wanted to delete the remaining data and asked for instructions on how to proceed. A copy of the letter received this morning by the ICO from Google can be downloaded here. Here’s the response.

Effectively, the ICO has demanded that Google must supply the data to the ICO immediately, so that “we can subject it to forensic analysis before deciding on the necessary course of action.”

The ICO says “this should never have happened in the first place and the company’s failure to secure its deletion as promised is cause for concern.” That’s a pretty big slap on the wrist for Google.

The ICO says it is also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development.

As they say, this story will run and run.

Update:

Peter Fleisher, Google’s Global Privacy Counsel, tells us: “Google has recently confirmed that it still has in its possession a small portion of payload data collected by our Street View vehicles in the UK. Google apologizes for this error.”

Article courtesy of TechCrunch

The UK’s Information Commissioner’s Office (ICO) this morning said Google has taken “reasonable steps to improve its privacy policies”, following a consensual audit of the company’s privacy processes held at its London office last July.

The ICO’s audit was agreed upon as part of the terms of an undertaking that Google signed (PDF) in November 2010 after the company reported that its Street View cars had collected WiFi payload data alongside the location mapping information that was the stated aim of the project.

In May 2010, it was revealed that Google had collected and stored payload data from unencrypted WiFi connections as part of Street View.

Google has repeatedly stated that the WiFi payload data collection was an unintended mistake and in October 2010 announced that it would examine how to strengthen its internal privacy and security practices by hiring experts and enhance training covering privacy and the protection of user data.

The ICO audit consisted of an extensive review of relevant documentation, an on-site visit (including interviews with Google staff) as well as an inspection of selected records.

ICO found that the company has taken action in all of the agreed improvement areas, yet asked Google to go further to enhance privacy, including ensuring that users are given more information about the privacy aspects of Google products.

Google has responded to the results of the audit on its European Public Policy Blog.

Information Commissioner, Christopher Graham, commented:

“I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year. All of the commitments they gave us have been progressed and the company have also accepted the findings of our audit report where we’ve asked them to go even further.

“The ICO’s Google audit is not a rubber stamp for the company’s data protection policies. The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO.”

The executive summary of the Google audit can be found here (PDF).

Article courtesy of TechCrunch