Sony's data loss didn't breach Privacy Act

Sony's data loss didn't breach Privacy Act

Summary: Sony Computer Entertainment (SCE) Australia wasn't on the wrong side of the law when it experienced a massive data breach due to a cyber attack earlier this year, according to Australian Privacy Commissioner Timothy Pilgrim.

SHARE:
TOPICS: Security, Privacy
4

Sony Computer Entertainment (SCE) Australia wasn't on the wrong side of the law when it experienced a massive data breach due to a cyber attack earlier this year, according to Australian Privacy Commissioner Timothy Pilgrim.

The commissioner had decided to investigate the Sony PlayStation Network (PSN) breach in April, which saw hackers gain access to over 70 million customer records. SCE Australia told the Commissioner that each individual's name, address (city, state, postal code), country, email address, date of birth, online ID, PSN/Qriocity password and possibly credit card data could have been accessed during the attack.

Principles set out in the Privacy Act require organisations to take reasonable steps to protect personal information, and ensure that they only use or disclose personal information for the purpose that it was collected.

"I opened this investigation because I was concerned that Australians' personal information may have been compromised," Pilgrim said.

However, his concerns were unfounded, with Pilgrim finding that the company hadn't breached the Act.

"I found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into.

"I also found that Sony took reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place," Pilgrim said.

SCE Australia is a subsidiary of Sony Computer Entertainment Europe Limited (SCE Europe), as is Sony Network Entertainment Europe Limited (SNEE), which operates PlayStation Network and Qriocity services for Australians.

SCE Australia didn't have anything to do with provisioning the network platform or storing personal data, which was held in a datacentre in San Diego, according to the privacy commissioner.

The commissioner found, however, that the companies that did have responsibility for the data had a "wide range of security safeguards in place" for the protection of personal information.

These included: physical, network and communication security measures, the encryption of credit card information and the maintaining of information technology security standards based on the international information security standard ISO/IEC 27001.

Although the commissioner was happy with the steps that Sony had taken to protect information, he said that he was worried about how long it had taken for Sony to tell customers about the problem after finding out about the breach.

Pilgrim noted that in the case of a possible exposure of financial information, notifying customers early is better, even if the data is encrypted.

"If an organisation cannot rule out the possibility that sensitive information of this type has been compromised, then timely notification would seem appropriate in the circumstances," he said in his report.

Office of the Australian Information Commissioner (OAIC) data breach guidelines (PDF) didn't say how quickly organisations should notify customers of breached data; however, in this case, the privacy commissioner said that the seven days that elapsed between the company discovering the breach and the notification of customers was too long.

"I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised," Pilgrim said.

The privacy commissioner "strongly recommended" that Sony review how it applies the OAIC's guide to handling personal information during security breaches.

Yet he was pleased that Sony had beefed up security measures after the attack. For example, the company has created a new chief information security officer role. It has also pushed out a software update for PlayStation 3 consoles that forced users to change their passwords to the network. The password needed to be changed on the console on which it was activated.

The company also implemented additional data monitoring software and configuration management systems; data protection and encryption; system monitoring; and firewalls.

Topics: Security, Privacy

Suzanne Tindal

About Suzanne Tindal

Suzanne Tindal cut her teeth at ZDNet.com.au as the site's telecommunications reporter, a role that saw her break some of the biggest stories associated with the National Broadband Network process. She then turned her attention to all matters in government and corporate ICT circles. Now she's taking on the whole gamut as news editor for the site.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Maybe Sony should have asked PayPal for help with security; they've never been hacked....
    Eva-cbf8d
  • "I opened this investigation because I was concerned that Australians' personal information may have been compromised," Pilgrim said.

    However, his concerns were unfounded, with Pilgrim finding that the company hadn't breached the Act.

    Well thats reassuring...

    Millions of account details were released into the wild but the 'act' wasn't breached so all is good. And if the 'act' had been breached Sony would have swiped away any repercussions like an elephant squashing an ant.

    Meantime McClelland secretly meets with the Hollywood fat cats (employed by Sony) to 'protect' THEIR rights probably with 3 strikes against the 'working families' he worships so much...
    p...a...t...h...e...t...i...c...
    btone-c5d11
    • Can I have his job, as I think anyone is more qualified than this joker. It shows his lack of knowledge on the effect this may have on industry and our ability to offer services. On-line trading is slowing in Australia, offering protection through our non-existent privacy legislation does not offer potential international customers any protection whatsoever. "So how do we compete?" Can he answer us what reasonable steps Sony took to protect individuals credentials. Wow, they actually created a CSO role. They didn't have this before???? What fines were handed down for this breach???? How do you show that your legislation protects individuals information to overseas organisations as they do have legislation in place (eg. US - Sarbanes Oxley, Hippa, etc...).
      There were a number of people that read this article that had to be taken to Hospital for chest strain as I could not stop them from laughing.
      norbi1414
  • The Privacy Commissioner statement that Sony did have a case to answer as they "did not intentionally disclose any confidential information" is not surprising, simply put Australia has no real commercial Privacy or Security legislation for Sony to breach. The fact that Sony did not show a duty of care and/or displayed a complete lack regard for the personal information entrusted to them by their clients, is completely ignored ny the commissioner.

    Sony's duty of care is to maintain appropriate IT Security systems, policies and procedures to maintain client data Confidential, Private and Available wether at rest, in transit or in process. It is obvious that they did not take these duty of care obligations seriously until "that proverbial substance" hit the fan. Now to show that they have learned their lesson they have just employed a CIO.,

    On to may levels, Sony's "JUST EMPLOYED A CIO" statement simply highlights its historical disregard for client confidentiality in their corporate culture and I do not think that any Australian Government officials should comment and try to exonerate such obvious laissez-faire behaviour.
    lvb01