Sony's data loss didn't breach Privacy Act

Sony Computer Entertainment (SCE) Australia wasn't on the wrong side of the law when it experienced a massive data breach due to a cyber attack earlier this year, according to Australian Privacy Commissioner Timothy Pilgrim.
Written by Suzanne Tindal, Contributor

Sony Computer Entertainment (SCE) Australia wasn't on the wrong side of the law when it experienced a massive data breach due to a cyber attack earlier this year, according to Australian Privacy Commissioner Timothy Pilgrim.

The commissioner had decided to investigate the Sony PlayStation Network (PSN) breach in April, which saw hackers gain access to over 70 million customer records. SCE Australia told the Commissioner that each individual's name, address (city, state, postal code), country, email address, date of birth, online ID, PSN/Qriocity password and possibly credit card data could have been accessed during the attack.

Principles set out in the Privacy Act require organisations to take reasonable steps to protect personal information, and ensure that they only use or disclose personal information for the purpose that it was collected.

"I opened this investigation because I was concerned that Australians' personal information may have been compromised," Pilgrim said.

However, his concerns were unfounded, with Pilgrim finding that the company hadn't breached the Act.

"I found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into.

"I also found that Sony took reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place," Pilgrim said.

SCE Australia is a subsidiary of Sony Computer Entertainment Europe Limited (SCE Europe), as is Sony Network Entertainment Europe Limited (SNEE), which operates PlayStation Network and Qriocity services for Australians.

SCE Australia didn't have anything to do with provisioning the network platform or storing personal data, which was held in a datacentre in San Diego, according to the privacy commissioner.

The commissioner found, however, that the companies that did have responsibility for the data had a "wide range of security safeguards in place" for the protection of personal information.

These included: physical, network and communication security measures, the encryption of credit card information and the maintaining of information technology security standards based on the international information security standard ISO/IEC 27001.

Although the commissioner was happy with the steps that Sony had taken to protect information, he said that he was worried about how long it had taken for Sony to tell customers about the problem after finding out about the breach.

Pilgrim noted that in the case of a possible exposure of financial information, notifying customers early is better, even if the data is encrypted.

"If an organisation cannot rule out the possibility that sensitive information of this type has been compromised, then timely notification would seem appropriate in the circumstances," he said in his report.

Office of the Australian Information Commissioner (OAIC) data breach guidelines (PDF) didn't say how quickly organisations should notify customers of breached data; however, in this case, the privacy commissioner said that the seven days that elapsed between the company discovering the breach and the notification of customers was too long.

"I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised," Pilgrim said.

The privacy commissioner "strongly recommended" that Sony review how it applies the OAIC's guide to handling personal information during security breaches.

Yet he was pleased that Sony had beefed up security measures after the attack. For example, the company has created a new chief information security officer role. It has also pushed out a software update for PlayStation 3 consoles that forced users to change their passwords to the network. The password needed to be changed on the console on which it was activated.

The company also implemented additional data monitoring software and configuration management systems; data protection and encryption; system monitoring; and firewalls.

Editorial standards