Australian Privacy Commissioner Timothy Pilgrim found that Sony Computer Entertainment Australia (SCE Australia) did not breach the Privacy Act when it fell victim to a cyber-attack. The Privacy Commissioner's investigation into the Sony Playstation Network / Qriocity was prompted by media reports that hackers allegedly gained unauthorised access to approximately 77 million Sony customers' personal information.
"I opened this investigation because I was concerned that Australians' personal information may have been compromised," Pilgrim said.
The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Principles require organisations to take reasonable steps to protect personal information, and limit the circumstances in which organisations can use and disclose personal information.
"I found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into. I also found that Sony took reasonable steps to protect its customers' personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place," Pilgrim said.
While the Privacy Commissioner found no breach of the Privacy Act by SCE Australia, he was concerned about the time that elapsed between Sony becoming aware of the incident and notifying customers and the Office of the Australian Information Commissioner.
"I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised," Pilgrim said. "However, I am pleased that in response to this incident, Sony has now implemented extra security measures to strengthen protections around the Network Platform."