Interesting penalty notice for Sony Playstation Network hack

The penalty notice for the Sony Playstation Network hack is an interesting read:

http://www.ico.gov.uk/news/latest_news/2013/~/media/documents/library/Data_Protection/Notices/sony_monetary_penalty_notice.ashx

Beside the fact that Sony did not properly encrypt PCI relevant data and the rulings vague phrasing:

“Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller.”

a main point of the ruling seems to have been the fact, that the systems were compromised by a vulnerability for which patches were available at the time of the hack.

To me this is a perfect example that patch and vulnerability management are not nice to have but instead a must have for every organization. This ruling shows that being hacked is not just an inconvenience for the targeted companies but also opens the doors to fines and reparation claims.

I would really like to know what the blackened parts were about!
So give your Nessus a go and make sure to follow up on the results ;)

Advertisements

About SebastianB

read it in my blog
This entry was posted in miscellaneous, SecurityNews and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s