ARTICLE
10 October 2011

Sony's cyber-attack investigated by the Australian Privacy Commissioner

HR
Holding Redlich

Contributor

Holding Redlich logo
Holding Redlich, a national commercial law firm with offices in Melbourne, Canberra, Sydney, Brisbane, and Cairns, delivers tailored solutions with expert legal thinking and industry knowledge, prioritizing client partnerships.
Explore Firm Details
The Commissioner investigated if Sony complied with National Privacy Principles with regard to personal information.
Australia Privacy
Holding Redlich are most popular:
  • within Food, Drugs, Healthcare, Life Sciences, Antitrust/Competition Law and Law Practice Management topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Consumer Industries and Metals & Mining industries

On 19 April 2011, Sony became aware that hackers had gained access to their Network Platform which held personal information, including contact and credit card details, of approximately 77 million customers world-wide. Amidst concerns that Australians' personal information may have been compromised in the cyber-attack, the Australian Privacy Commissioner commenced an own-motion investigation into whether Sony complied with National Privacy Principles 2.1 and 4.1 under the Privacy Act.

The Commissioner found that Sony did not breach National Privacy Principle 2.1 which only allows disclosure of personal information for the purpose it was collected, as the release of information was not intended by Sony, but rather the result of a 'sophisticated security cyber-attack' against Sony's Network Platform.

The Commissioner also found that Sony had acted in accordance with the National Privacy Principle 4.1 in taking reasonable steps to protect its customers' personal information from misuse and loss and from unauthorised access, modification or disclosure.

The Commissioner noted that Sony:

  • had physical, network and communication security measures in place, including the encryption of credit card information;
  • temporarily shut down the Network Platform servers and services after the security breach;
  • subsequently advised consumers about the incident via the PlayStation website, the media and by email; and
  • has since implemented various new security measures such as appointing a Chief Information Security Officer.

However, the Commissioner also expressed his concerns that Sony allowed 7 days to elapse before notifying its customers, and strongly recommended that Sony review how it applies the OAIC's Guide to handling personal information security breaches in light of the high risk of serious harm Sony's customers were exposed to after the cyber-attack.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More