Britain's Information Commissioner's Office said Thursday that security measures in place at the time "were simply not good enough." It said the attack could have been prevented if software had been up to date, while passwords were also not secure.
David Smith, deputy commissioner and director of data protection, acknowledged that the fine for a "serious breach of the Data Protection Act" was "clearly substantial" but said that the office makes "no apologies" for that.
"There's no disguising that this is a business that should have known better," he said in a statement. "It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
Smith called the case "one of the most serious ever reported" to the data regulator.
Sony, which has previously apologized for the data breach, said Thursday it "strongly disagrees" with the ruling and plans to appeal.
David Wilson, a spokesman for Sony Computer Entertainment Europe Ltd., said the company noted that the ICO recognized that Sony was the victim of a criminal attack and that there is no evidence payment card details were accessed.
"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defense and working to make our networks safe, secure and resilient," he said in a statement.
Cassandra Vinograd can be reached at http://twitter.com/CassVinograd