Sony Computer Entertainment Europe has been fined £250,000 ($396,100) following a "serious breach" of the Data Protection Act.
UK authorities said a hack in April 2011 "could have been prevented".
The Information Commissioner's Office (ICO) criticised the entertainment giant for not having up-to-date security software.
Sony told the BBC it "strongly disagreed" with the ruling and planned to appeal.
"Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defence and working to make our networks safe, secure and resilient," a spokesman for the firm added.
The company had previously apologised for the hack which saw its PlayStation Network knocked offline for several days. In May 2011 company executives bowed in public and offered users free games to show their remorse.
'Not good enough'
The ICO's report said technical developments had led to user passwords not being secure - leaving data such as names, addresses, dates of birth and payment card information at risk.
"If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority," said David Smith, deputy commissioner and director of data protection at the ICO.
"In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough."
Since the hack, which angered gamers who wanted to play over 2011's Easter weekend, Sony has said it has rebuilt the PlayStation Network system to be more secure.
But the ICO said the fine reflected the severity of the security lapse, adding that it was among the most serious it had ever seen.
"There's no disguising that this is a business that should have known better," Mr Smith added.
"It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
One positive from the hack, Mr Smith said, was that polls conducted after the breach suggested a greater awareness of the risks in handing over personal data.