The Information Commissioner's Office, a UK public body that deals with the Data Protection Act, has presented Sony with a £250,000 ($395,775) fine for the PlayStation Network outage that occurred in 2011.
Sony admitted at that time that hackers had managed to compromise information from millions of users on the PlayStation Network including postal addresses and email addresses, while payment card details were also at risk.
The ICO, which reports directly to Parliament in the UK, has now concluded that the attack could have been prevented if Sony's software had been up to date, noting that passwords were not secure at all.
David Smith, deputy commissioner and director of Data Protection in the UK, added, "If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority."
"In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."
He went on to say that the PSN breach was "one of the most serious ever reported to us," noting that the event put a huge number of people at the risk of identity theft.
In a statement to the Telegraph, Sony responded to the fine stating that it disagrees with the ruling, and is planning to appeal the decision.
"SCEE notes, however, that the ICO recognises Sony was the victim of 'a focused and determined criminal attack,' that 'there is no evidence that encrypted payment card details were accessed,' and that 'personal data is unlikely to have been used for fraudulent purposes' following the attack on the PlayStation Network," the statement adds.