Sony Computer Entertainment Australia should have acted more quickly to notify customers of the data breach from the hacking of the PlayStation Network and Qriocity platforms in April, the office of the Australian Privacy Commissioner has said.
In its report into the hacking and possible breach of the Privacy Act, the office said that while the Privacy Commissioner found — albeit based on information provided by SCE Australia — 'reasonable steps' were taken to protect personal information at the time, the elapsed time between SCE Europe becoming aware of the incident and notifying consumers and the Office of the Australian Information Commissioner was too long.
“In this case, the Privacy Commissioner believes that affected individuals could have been notified earlier, rather than SCE Europe allowing seven days to elapse after discovering the cyber attack had occurred,” the report reads.
“This delay may have increased the risk of a misuse of the individuals' personal information.”
It is estimated that as many as 100 million users of the PlayStation system and Sony's Qriocity film and music network worldwide were affected by the data breach.
Detailing the investigation into possible breaches of the Privacy Act, the office said the Privacy Commissioner had concluded that SCE Australia had not breached the act, as it “held no personal information relating to the incident".
This was due to customers’ personal data, at the time of the incident, being stored in a data centre in San Diego, California.
“The Privacy Commissioner accepted, based on the information provided by SCE Australia, that personal information held by the related companies was not disclosed to an unauthorised party; rather the information was accessed as a result of a sophisticated security cyber attack on the Network Platform's systems,” the report reads.
The report said the Privacy Commissioner was also satisfied with how Sony Australia implemented additional security measures to help protect personal information following the data breach.
“For these reasons, the Privacy Commissioner ceased his own motion investigation into SCE Australia,” the report reads.
“However, given his concerns over the period that elapsed before Sony notified its customers, the Privacy Commissioner strongly recommended that Sony review how it applies the OAIC's Guide to handling personal information security breaches.”
Follow Tim Lohman on Twitter: @Tlohman
Follow Computerworld Australia on Twitter: @ComputerworldAU