What happened at Sony

From 16 April 2011, Sony's servers for online media and gaming were compromised by a major security breach. According to Sony, a "very sophisticated" hacker accessed Sony's data centre in San Diego, under the guise of a legitimate purchaser. The hacker obtained access to customer account information (including names, usernames, passwords, addresses, contact information, birth dates, and, in some cases, credit card information) of over 100 million users of Sony's PlayStation Network, Qriocity and Sony Online Entertainment networks (the Networks), including 1.5 million Australian users. This breach follows a number of other recent online data security breaches in Australia.

The fallout from the breach is still being assessed. At the time of writing there have been investigations initiated by various regulatory authorities around the world (including by the Australian Privacy Commissioner) and formal legal proceedings have been commenced in the United States. There is also renewed interest from the federal government to introduce a mandatory notification requirement for data security breaches, as there is in North America and Europe.

Consequences of the security breach for Sony

The obvious consequence following the breach is the risk of identity theft, along with other unauthorised uses such as fraud and SPAM. In recent cyber attacks, such as the attack against the cosmetics retailer, Lush, hackers obtained customer credit card details, causing businesses to advise customers to cancel their credit cards. Sony's hackers obtained access to customer credit card details, some through an allegedly "outdated" database holding credit card details of over 12,000 customers.

The risks to the customers have been significantly heightened by Sony not informing them of the security breach until one week after its discovery. This has led to some customers in the United States commencing legal proceedings against Sony. This breach highlights the need for businesses to have a contingency plan so that they are able to act quickly if they suspect a security breach.

The Australian Privacy Commissioner has initiated an "own motion" investigation into the Sony breach and has expressed particular concern that Sony retained credit card details on an outdated database.

The adverse impact on the reputation of Sony and the diminished trust and loyalty of its customers is likely to be particularly damaging to the business. When relaunching the Networks, Sony's efforts to mitigate reputational damage will be costly, with a number of concessions being offered to customers who continue to use the Networks, including free 12 month membership packages for current Networks users, which will include a US$1 million per user insurance policy against identity theft.

Other financial consequences are likely to be felt by the business in terms of online business downtime and continuity expenses. In Sony's case, access to the Networks currently remains down at the time of this article. Whilst also losing business from the Networks, Sony has incurred expenses redesigning its data security protection and monitoring systems, creating a new information security management position within the company and re-locating personal information data storage to a new and more secure data centre. There has also been considerable expense for other industries including the banks that have cancelled and reissued many credit cards.

How should you respond to a data security breach?

How a business responds to a security breach is critical. Businesses must be able to:

  • contain the breach, including taking immediate steps to restrict access to the compromised details quickly
  • inform those affected by the breach (including customers and regulatory authorities)
  • investigate how the breach occurred
  • put in place processes to prevent the breach from reoccurring.

The Australian Privacy Commissioner has indicated that effective notification is critical. Sony's delay in notifying customers of the breach has been widely criticised by consumers and regulatory authorities alike. There have already been some reports of illegal use of Sony's customer information, with customers unable to take steps to properly protect their identity and personal information.

Following Sony's breach the federal government has announced that a mandatory data breach notification system now appears necessary. If mandatory notification is introduced it will bring Australia in line with North America and Europe, adding to the ever increasing privacy obligations imposed on Australian businesses.

Mitigating your exposure to risk

To minimise the risk of your business being exposed to a data security breach, you should:

  • keep data security at the forefront of your business strategy and ensure that your data protection and security breach notification systems are of a high standard and reviewed and updated regularly
  • familiarise yourself, and comply, with your obligations under applicable privacy legislation - lack of knowledge is not a defence. For instance, Sony admitted that it had not encrypted most customer information (although credit card data was encrypted). Australian privacy legislation requires businesses to take reasonable steps to protect personal information (with guidelines suggesting the need to encrypt personal information) and to destroy information that is no longer needed
  • develop a detailed contingency plan (incorporating a notification plan) to allow you to act quickly in the event of a data security breach.

Dudley Kneller, Partner at Middletons, participated in a Boardroom Radio discussion on this topic on 5 May 2011 alongside Tom Crampton, Managing Director of Trusted Impact. That discussion can be heard here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.