Sony not quite off the hook for 77 million strong breach: privacy commissar

Stan Beer
Friday, 30 September 2011 16:31

Your IT - Home IT

A cyber attack that potentially breached the privacy of 77 million Sony customers' accounts was not the fault of the electronics, entertainment and gaming giant, according to the Australian Privacy Commissioner. However, according to Commissioner Timothy Pilgrim, Sony is not blameless in the sordid affair because it took its time letting customers know.

 

In late April this year, Sony hit the headlines for all the wrong reasons when news broke that 77 million of its customer accounts had been hacked into giving attackers potential access to personal information, including credit card details.

Then just a week later in early May, a further 25 million Sony accounts were breached.

However, tens of millions of customers around the world were kept in the dark, including many in Australia, which has a vibrant community of online PlayStation gamers.

The cyber attacks involving user information gave rise to questions as to whether Sony had acted in the best interests of customers with respect to providing adequate privacy and providing them with timely information.

In a statement released to day Australian Privacy Commissioner Timothy Pilgrim issued a finding that Sony Computer Entertainment Australia (SCE Australia) did not breach the Privacy Act and was itself a victim of the cyber-attack.

"I opened this investigation because I was concerned that Australians' personal information may have been compromised," Mr Pilgrim said.

According to the statement, the investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Principles require organisations to take reasonable steps to protect personal information, and limit the circumstances in which organisations can use and disclose personal information.

In this respect, Sony was found to be blameless, largely because it had not intentionally breached its customers' privacy.

"I found no evidence that Sony intentionally disclosed any personal information to a third party.  Rather, its Network Platform was hacked into. I also found that Sony took reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place," Mr Pilgrim said.

That said, Sony received a firm public slap on the wrist for its response to the incident from the Commissioners.

Mr Pilgrim said he was concerned about the time that elapsed between Sony becoming aware of the incident and notifying customers and the Office of the Australian Information Commissioner.

"I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised," Mr Pilgrim said.

"However, I am pleased that in response to this incident, Sony has now implemented extra security measures to strengthen protections around the Network Platform."

During the investigation, the Privacy Commissioner examined information pertaining to relationships between the various Sony entities involved in this matter.

"The international nature of these relationships raises challenges for regulators monitoring personal information flows in these kinds of situations where large global companies are collecting personal information while operating in a number of different jurisdictions."

In recognition of this, the Privacy Commissioner will provide a copy of his investigation report to privacy regulators in APEC member economies for their consideration.