Sony’s cyber-attack investigated by the Australian Privacy Commissioner
On 19 April 2011, Sony became aware that hackers had gained access to their Network Platform which held personal information of approximately 77 million customers world-wide. These included contact and credit card details. The Australian Privacy Commissioner commenced an investigation into whether Sony complied with National Privacy Principles 2.1 and 4.1 under the Privacy Act amongst concerns that Australians’ personal information may have been compromised in the cyber-attack,
The Commissioner found that Sony did not breach National Privacy Principle 2.1 which only allows disclosure of personal information for the purpose it was collected, as the release of information was not intended by Sony, but rather the result of a ‘sophisticated security cyber-attack’ against Sony’s Network Platform.
The Commissioner also found that Sony had acted in accordance with the National Privacy Principle 4.1 in taking reasonable steps to protect its customers’ personal information from misuse and loss and from unauthorised access, modification or disclosure.
The Commissioner noted that Sony:
However, the Commissioner did express concerns that Sony allowed 7 days to go by before notifying its customers, and strongly recommended that Sony review how it applies the OAIC’s Guide to handling personal information security breaches in light of the high risk Sony’s customers were exposed to after the cyber-attack.