Sony has been fined £250,000 by the Information Commissioner's Office for not having prevented the security breach of the PlayStation Network's databases in 2011.
The UK body ruled that the company hadn't met its duties in ensuring that software was up to date and had left vital passwords and systems in a vulnerable state.
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," said ICO director of data protection David Smith.
"In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough.
"There's no disguising that this is a business that should have known better."
The breach was a disaster for Sony, coming just before the Easter holidays in 2011 and severely damaging public trust in the company. Senior executives publicly apologised for not having been better prepared for the attack and offered game downloads as compensation to users. It has since improved its security provision.