The cyberattack resulted in millions of users' personal information including names, addresses, birth dates and account passwords being at risk.
Britain's Information Commissioner's Office (BICO) said it was dissatisfied by what it had discovered during investigations and said security measures in place by Sony in 2011 "were simply not good enough".
David Smith, Deputy Commissioner and Director of Data Protection, said: "There's no disguising that this is a business that should have known better.
"It is a company that trades on its technical expertise, and there's no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe."
Smith described the case as "one of the most serious ever reported" to the data regulator.
David Wilson, Spokesman for Sony Computer Entertainment Europe Ltd, said: "Criminal attacks on electronic networks are a real and growing aspect of 21st century life and Sony continually works to strengthen our systems, building in multiple layers of defense and working to make our networks safe, secure and resilient."
Sony said in a statement that it "strongly disagrees" with the ruling and plans to appeal it.