Hacked games companies: Do LulzSec victims face legal risk?

Technology and media lawyer Brett Farrell gives us the low-down...

The past two months have seen unprecedented and high profile hacking attacks against the computer gaming industry by powerful hacking groups.

Sony, Nintendo, Sega and Codemasters are just some of the companies who have been attacked and had various types of data stolen. Let's examine these hacks against the background of the seventh principle of the Data Protection Act about data security.

The seventh principle of the Data Protection Act is:

"Appropriate technical and organisational security measures must be taken to prevent unauthorised or unlawful processing, accidental loss of, or destruction or damage to personal data."


Whilst the hacks, apart from Codemasters, took place outside the UK, the overlay of the Data Protection Act to UK companies is very much relevant.

In addition to auditing and updating the security systems within an IT network, companies are also required to assess broader organisational controls in order to fully comply with the seventh data protection principle.

The Hacks

Sony has been the target of a number of hacks within the past two months, the most notable of which brought down its PlayStation Network. The PlayStation Network was offline for approximately one month whilst Sony undertook upgrades to its IT security.

The amount of information obtained from the hack was extraordinary and included personal information such as names, addresses, postcodes, email addresses, birth dates and credit card details.

The hack against Nintendo was somewhat of a non-event as the hackers appear to have no malice towards Nintendo. No personal data was obtained by the Nintendo hackers.

SEGA was the next high profile target. The hackers gained access to the SEGA Passport data including email addresses, dates of birth and encrypted passwords. SEGA had, as a result of Sony's hack, just undertaken a review of its IT security and carried out some upgrades in order to close any vulnerability in its infrastructure. In a further and unusual twist the group of hackers who hacked Sony came to SEGA's defence by offering to "[d]estroy the hackers that hacked you. We love the Dreamcast, these people are going down."

A good amount of data in those hacks would, if in England, have fallen squarely within the definition of personal data under the Data Protection Act.

There was also the attack on the English company Codemasters. Codemasters revealed that its websites, eStore and databases were all subject to the attack but credit card and payment details were not affected. Taken instead were encrypted passwords, email addresses and user names all which is likely to be personal data under the Data Protection Act.


Good Practice

The Information Commissioner has issued a Data Protection Good Practice Note on Security of Personal Information. It is a broad approach and looks at four aspects of security measures that a company must assess which are: organisational, staff, physical security and computer security.

The organisational measures are the macro level policies and procedures applied across the company which relate to data security. They include things like ensuring that people with responsibility have the necessary authority to enforce data security, ensuring overall data security policies are in place, checks are being undertaken to ensure compliance and there are periodic reviews of security arrangements to ensure they are up to date and appropriate.

Staff is the next realm of responsibility and the Information Commissioner expects a company to have taken reasonable steps to assess reliability of staff at the recruitment stage, provided staff with sufficient training about responsibilities for the data that the company holds and most importantly, making staff aware that they could be committing criminal offences if they give out personal information without appropriate consents in place.

  1 2