"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," David Smith, deputy commissioner and director of data protection at the ICO, told BBC. "In this case that just didn't happen, and when the database was targeted--albeit in a determined criminal attack--the security measures in place were simply not good enough."
Smith said Sony, a company which "trades on its technical expertise," had no excuse for not employing better security measures.
Sony released a statement to CVG saying it "strongly disagrees" with the decision, which it plans to appeal:
"PlayStation Europe notes that the ICO recognises Sony was the victim of 'a focused and determined criminal attack' and that 'there is no evidence that encrypted payment card details were accessed', and that 'personal data is unlikely to have been used for fraudulent purposes'."
Meanwhile, neither side addressed the pain and suffering we poor gamers endured in the nearly month-long period of PSN downtime after the attacks. Oh, woe was us.