Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
The privacy commissioner has cleared Sony of wrongdoing after finding the company's security was up to scratch when its PlayStation service was hacked in April.
Commissioner Timothy Pilgrim asked Sony for details of its security architecture to ascertain whether the hack of Sony had broken local laws, despite its infrastructure being located outside of Australia. 77 million user records were compromised during the two day outage, including some 1.6 million Australian accounts.
The investigation concluded there was sufficient infrastructure in place to protect the records and cleared Sony of wrongdoing.
The finding was thought to be based on information provided by Sony Computer Entertainment Australia to the Office of the Australian Information Commissioner (OAIC), according to comments by a internal spokesperson to this website.
This could not be validated with Pilgrim by the time of publication.
Sony would have breached the Australian Privacy Act if it had inappropriately disclosed customer information to a third party, or did not adequately protect data, the OAIC said.
“The evidence showed that no personal information was disclosed to unauthorised parties; rather the information was accessed as a result of a sophisticated security cyber-attack against the network platform,” the investigation's report said.
The report assessed the hacked security infrastructure against two National Privacy Principles.
The first, 2.1, stated that personal information could only be used or disclosed “for the primary purpose for which it was collected”.
The second, 4.1, stated that organisations must “take reasonable steps” to protect personal information from “misuse and loss and from unauthorised access, modification or disclosure”.
Australia's privacy guidelines do not contain deadlines for companies to inform customers when their information had been compromised, though the office found Sony's week-long wait before it informed customers was too long.
Pilgrim said Sony's Australian chapters should have quickly notified local customers of the hack instead of waiting for the delayed notification from Europe.
“This delay may have increased the risk of a misuse of the individuals' personal information,” he said.
“The Privacy Commissioner strongly recommended that Sony review how it applies the OAIC's guide to handling personal information security breaches.”
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.