Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Sony PlayStation Network

Statement from Privacy Commissioner

25 January 2013

The UK Information Commissioner’s Office (ICO) has concluded its investigation into the hacking of the Sony PlayStation Network Platform in 2011. The ICO has found that Sony Computer Entertainment Europe (SCEE), the operator of the Network Platform, contravened the UK Data Protection Act 1998 and has imposed a penalty of £250,000.

The Office of the Australian Information Commissioner (OAIC) opened an own motion investigation into the same incident in April 2011 and examined the practices of Sony Computer Entertainment Australia Pty Ltd (SCE Australia), the Australian subsidiary of SCEE. The OAIC concluded its investigation in September 2011 finding that SCE Australia was not in breach of the Australian Privacy Act 1988 as it did not hold any personal information.  Based on the information provided by SCE Australia, including information about the range of security measures in place at the time of the incident, I found that it appeared that reasonable steps had been taken to protect the personal information held in relation to the Network Platform.

Given the global nature of this incident I advised other privacy regulators, including those in the APEC member economies, of my findings for their consideration. Since this incident the OAIC has been strengthening its participation in global privacy enforcement networks so that it can draw on the assistance of overseas privacy regulators when investigating potential breaches of Australian’s personal information when it is held in other countries.

Amendments to the Privacy Act passed by the Parliament last November and which come into force on 12 March 2014, will further strengthen the accountability for organisations sending personal information out of Australia as well as enhancing the Commissioners’ compliance powers.

Currently, the Australian Privacy Act does not allow the Commissioner to impose a penalty if an organisation is found to be in breach of the Act. However, the amendments to the Privacy Act will include the power to seek civil penalties in the case of a serious breach of privacy, accept enforceable undertakings, and conduct assessments of privacy performance.

There are no plans to re-open the OAIC’s investigation into this matter. I am satisfied, as is the ICO, that Sony has made appropriate changes to its systems following the incident in terms of the extra security measures that have been implemented to help protect personal information. However, I will examine the ICO’s report in detail.

Late last year the OAIC released for consultation a draft guide to assist Australian businesses and government agencies with  information security requirements under the Privacy Act.  The guide includes a range of information, including a recommendation that organisations should regularly update their IT systems to reduce the likelihood that the personal information they hold is compromised. The guide will be released later this year.

[END STATEMENT]

The OAIC’s investigation report into the Sony PlayStation Network can be found here: http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html

Back to Contents

Investigation into Sony data breach — Statement from Australian Privacy Commissioner, Timothy Pilgrim

4 May 2011

On 26 April, I opened an own motion investigation into the Sony Playstation Network in response to reports that hackers may have stolen the personal data, including credit card details, of users. Sony later contacted my Office to confirm that the incident had occurred. This investigation is ongoing.

On the same day I sent Sony a formal letter asking them a series of questions, including exactly what personal information was compromised by the hacker, and what security measures it had in place at the time of the incident to ensure that information was secure. I also asked whether, in hindsight, it considers these steps were reasonable measures to take to protect its customers' personal information from unauthorised access and disclosure. I am expecting a response from Sony by 13 May 2011.

Update 4 May 2011

Yesterday, Sony Online Entertainment (SOE) advised me it had discovered that hackers may have obtained SOE customer information. SOE has said that the information was held in an out dated database from 2007 and contained approximately 12,700 non-US customer credit or debit card numbers and expiration dates.  It is unclear at this point how many of these customers are Australian citizens or recipients. 

I have asked SOE for information about this incident and I will be opening an own motion investigation. As I understand it, this incident involves information held on a separate server from the Sony Playstation Network.

This latest incident is extremely worrying. I am particularly concerned that it involves information stored on an out of date database. It reinforces my view that organisations need to consider further limiting the amount of information they collect and store about people. They should also make sure that information is destroyed when it is no longer needed as is required under the Privacy Act.

There are a number of significant reforms to the Privacy Act currently being considered by the Government. These include increased powers for the Commissioner to impose penalties following an own motion investigation, such as enforceable undertakings and civil penalties for serious breaches of privacy.  Further, the ALRC recommended that consideration should also be given to the introduction of mandatory data breach notification laws.

Back to Contents