The past two months have seen unprecedented and high profile hacking attacks against the computer gaming industry by powerful hacking groups.
Sony, Nintendo, Sega and Codemasters are just some of the companies who have been attacked and had various types of data stolen. Let's examine these hacks against the background of the seventh principle of the Data Protection Act about data security.
The seventh principle of the Data Protection Act is:
"Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of, or destruction or damage to personal data."
In addition to auditing and updating the security systems within an IT network, companies are also required to assess broader organisational controls in order to fully comply with the seventh data protection principle.
The Hacks
Sony has been the target of a number of hacks within the past two months, the most notable of which brought down its PlayStation Network. The PlayStation Network was offline for approximately one month whilst Sony undertook upgrades to its IT security.
The amount of information obtained from the hack was extraordinary and included personal information such as names, addresses, postcodes, email addresses, birth dates and credit card details.
The hack against Nintendo was somewhat of a non-event as the hackers appear to have no malice towards Nintendo. No personal data was obtained by the Nintendo hackers.
SEGA was the next high profile target. The hackers gained access to the SEGA Passport data including email addresses, dates of birth and encrypted passwords. SEGA had, as a result of Sony's hack, just undertaken a review of its IT security and carried out some upgrades in order to close any vulnerability in its infrastructure. In a further and unusual twist the group of hackers who hacked Sony came to SEGA's defence by offering to "[d]estroy the hackers that hacked you. We love the Dreamcast, these people are going down."
A good amount of data in those hacks would, if in England, have fallen squarely within the definition of personal data under the Data Protection Act.
There was also the attack on the English company Codemasters. Codemasters revealed that its websites, eStore and databases were all subject to the attack but credit card and payment details were not affected. Taken instead were encrypted passwords, email addresses and user names all which is likely to be personal data under the Data Protection Act.
The Information Commissioner has issued a Data Protection Good Practice Note on Security of Personal Information. It is a broad approach and looks at four aspects of security measures that a company must assess which are: organisational, staff, physical security and computer security.
The organisational measures are the macro level policies and procedures applied across the company which relate to data security. They include things like ensuring that people with responsibility have the necessary authority to enforce data security, ensuring overall data security policies are in place, checks are being undertaken to ensure compliance and there are periodic reviews of security arrangements to ensure they are up to date and appropriate.
Comments
5 comments so far...
Joe90_Remy700 on 30 Jun '11 said:
so because some pu$$yhole geeky cnuts try to be brave from behind their milk-bottle-bottom glasses and keyboards and think its cool to be a prick by hacking, the companies that are victims not only lose data, lose face and lose customert trust and support, they also lose money by being fined for being hacked? thats a bit strong.
fair enough, those complacent f*cks at sony should have at least had some form of security on the PSN regardless of it being a free network, and the magnitude of how and what was hacked is quite sickening there must have been naff all cyber security in place, but nothing is safe from thieves, criminals or pu$$yhole geeks
originalbadboy on 30 Jun '11 said:
A bit strong???
Not at all, the reason why the Data Protection Act exists is so that companies MAKE SURE their clients data is safe. It's as simple as that, Sony didn't do this , so therefore they will get fined (possibly only in the UK, not sure). I don't see the issue here myself. If Sony's security was up to scratch this wouldn't have happened. No there is no such thing as a completly secure system (until Quantum Cryptography is a reality) but you still make it damn near impossibe for someone to hack a system, even more so when you have the sort of data that was stolen in your databases.
Customer data IS the most important piece of data as company can hold, therefore it needs the most security. If the Data Protection Act didn't exist, companies would have no legal responsibiity to keep customers data safe, and you would have an even worse situation. Companies like Sony take shortcuts to save money, if those shortcuts allow customers data to be stolen then they should get fined, it's supposed to be a deterant against being lax on security.
If there is one good thing that has come out of this, you can bet that there a lot of companies out there looking at their security and making sure its up to scratch. Trouble is most of these companies get third party security advisors in and most of those don't know their arse from their elbow.
voodoo341 on 30 Jun '11 said:
That isn't strictly true. The Data Protection Act covers a whole lot more than just security and that's part of it's problem. Even its security principal is so grey it's unenforceable. Add to that fact most companies in the world keep their data in locations where the Data Protection Act has no jurisdiction and you'll find the Act is meaningless and pointless to most multinational companies.
Noobsaibot on 30 Jun '11 said:
Wait, wait, wait..... Are you telling me some games companies have been hacked recently? Why wasn't I informed of this, CVG?
Domin666 on 30 Jun '11 said:
This is just daylight robbery,no diffrent than holding a gun and taking what you want.The law will be broken no bank is safe to dedicated thiefs,so the same stands for the giant's of industry that run the world.What would happen if this had been the stock market?Quick call Jhon McKlaine oh we carnt the hackers have crashed the phones,I know we can send an email?No the hackers have messed with that as well.We should not be blaming the robbed they are the victims I say punish the guilty by sending them to a North Korean jail with the tax payers money.( I work ).