The security breach occurred in April 2011 compromising the personal information, including users’ payment card details, dates of birth, addresses and account passwords, of millions of customers.
The ICO found the attack could have been prevented had Sony’s software been up-to-date.
David Smith, deputy commissioner and director of data protection, stressed companies’ responsibility for protecting consumers’ payment details describing Sony’s breach as “one of the most serious ever reported to us”.
He says: “The security measures in place were simply not good enough. There’s no disguising that this is a business that should have known better.
It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”
In the aftermath of the attack Sony conceded that it could have “gotten the answers needed sooner” but said the forensic analysis of the situation was “time-consuming” acknowledging that it could have acted sooner to notify the public.
Sony has issued a statement saying it disagrees with the ruling adding “there is no evidence that encrypted payment card details were accessed” and plans to appeal the judgement.