Out-Law News | 26 Aug 2014 | 11:16 am | 1 min. read
In a blog post on its website, Sony said that there had been "no evidence of any intrusion to the network" and "no evidence of any unauthorised access to users' personal information" during the attack, which was one of several targeting "major networks around the world" over the weekend.
A group called LizardSquad has claimed responsibility for the attack, along with a similar attack on the servers of Blizzard Entertainment, the makers of World of Warcraft. According to the group's Twitter account, it has also attacked Microsoft's Xbox Live network. Microsoft has reported problems on its social and gaming networks, but has not yet indicated whether this is due to a DDoS attack.
The group has also claimed to be behind a bomb threat against an American Airlines flight carrying Sony Online Entertainment president John Smedley on Sunday. The plane was ultimately diverted from its original destination of San Diego to Phoenix, Arizona.
A DDoS attack typically involves hackers using malware-infected computers to bombard systems with such large amounts of traffic that they cease to function. It does not itself involve gaining malicious access to the network or intercepting users' information.
In 2013, Sony was issued with a £250,000 fine by the UK's data protection watchdog, the Information Commissioner's Office (ICO), over a data breach in 2011 that affected millions of UK gamers. The ICO found that Sony was guilty of a serious breach of the UK's Data Protection Act (DPA) because it had not taken "appropriate technical measures" to protect the security of personal data stored on the PlayStation Network, and that it had stored "excessive" amounts of customers' personal data on the platform.
Under the DPA organisations must take "appropriate technical and organisational measures … against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The Act also requires organisations to ensure that the personal data they hold is "adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed".