Investigation into Sony data breach (4 May 2011)
Statement from Australian Privacy Commissioner, Timothy Pilgrim
On 26 April, I opened an own motion investigation into the Sony Playstation Network in response to reports that hackers may have stolen the personal data, including credit card details, of users. Sony later contacted my Office to confirm that the incident had occurred. This investigation is ongoing.
On the same day I sent Sony a formal letter asking them a series of questions, including exactly what personal information was compromised by the hacker, and what security measures it had in place at the time of the incident to ensure that information was secure. I also asked whether, in hindsight, it considers these steps were reasonable measures to take to protect its customers' personal information from unauthorised access and disclosure. I am expecting a response from Sony by 13 May 2011.
Update 4 May 2011
Yesterday, Sony Online Entertainment (SOE) advised me it had discovered that hackers may have obtained SOE customer information. SOE has said that the information was held in an out dated database from 2007 and contained approximately 12,700 non-US customer credit or debit card numbers and expiration dates. It is unclear at this point how many of these customers are Australian citizens or recipients.
I have asked SOE for information about this incident and I will be opening an own motion investigation. As I understand it, this incident involves information held on a separate server from the Sony Playstation Network.
This latest incident is extremely worrying. I am particularly concerned that it involves information stored on an out of date database. It reinforces my view that organisations need to consider further limiting the amount of information they collect and store about people. They should also make sure that information is destroyed when it is no longer needed as is required under the Privacy Act.
There are a number of significant reforms to the Privacy Act currently being considered by the Government. These include increased powers for the Commissioner to impose penalties following an own motion investigation, such as enforceable undertakings and civil penalties for serious breaches of privacy. Further, the ALRC recommended that consideration should also be given to the introduction of mandatory data breach notification laws.