On 27 April 2011, the Australian Privacy Commissioner commenced an own motion investigation under the Privacy Act 1988 (Cth) following media reports that an unauthorised person accessed personal information of approximately 77 million customers of the Sony PlayStation Network/Qriocity, including customers in Australia. A media report said that individuals’ names, addresses and other personal data potentially including credit card details had been compromised by the incident.
This incident raised concerns that the personal information of Australians may have been compromised.
The Privacy Commissioner sought information from Sony Computer Entertainment Australia Pty Ltd (SCE Australia) who provided information on behalf of SCE Australia and other related companies. SCE Australia is a subsidiary of Sony Computer Entertainment Europe Limited (SCE Europe). Sony Network Entertainment Europe Limited (SNEE), a wholly owned subsidiary of SCE Europe, operates the PlayStation Network and Qriocity services (the Network Platform) for individuals in Australia.
Individuals can create an account to access the Network Platform. When an individual creates an account they provide various personal data to SNEE. At the time of the incident this data was stored in a data centre in San Diego, California. SCE Australia does not play any role in the provision of the Network Platform and does not hold the personal data provided by consumers when they create their accounts.
On 19 April 2011, SCE Europe became aware of a cyber-attack on the Network Platform. On becoming aware of the incident, SCE Europe and SNEE worked with their related companies in the United States and Japan to:
- commence an investigation to determine the cause of the incident
- temporarily shut down the Network Platform servers and turn off all Network Platform services
- advise consumers about the incident via the PlayStation website, the media and by email
- implement new security measures.
The Privacy Act contains 10 National Privacy Principles (NPPs) that regulate the way that organisations handle ‘personal information’ about individuals. The Privacy Commissioner’s investigation focused on whether the operation of the Network Platform was consistent with:
- NPP 2.1, which provides that an organisation must only use or disclose personal information for the primary purpose for which it was collected, unless at least one of a number of exceptions apply
- NPP 4.1, which requires organisations to take ‘reasonable steps’ to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure.
NPP 2.1 provides that an organisation must only use or disclose personal information for the primary purpose for which it was collected, unless at least one of a number of exceptions apply.
In general terms an organisation discloses personal information when it releases information to others outside the organisation.
Media reports of this incident claimed that customer information, including personal information was disclosed to a third party. However, this was not substantiated by any of the evidence provided to the OAIC. The evidence showed that no personal information was disclosed to unauthorised parties; rather the information was accessed as a result of a sophisticated security cyber-attack against the Network Platform.
Taking into consideration all the information available to him, the Privacy Commissioner found that there was no disclosure of personal information to an unauthorised third party, and therefore no breach of NPP 2.1.
NPP 4.1 states that an organisation must take ‘reasonable steps’ to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
The Privacy Commissioner considers the range of measures an organisation has in place when deciding whether it has taken ‘reasonable steps’ to protect the personal information it holds.
Generally, an organisation will need to have a range of security safeguards in place to protect the personal information it holds. These safeguards could include:
- physical security measures, for example, only allowing authorised users to enter premises and having secure storage and destruction facilities in place
- computer and network security measures
- communication security, for example, that protects emails from unauthorised intrusion and interception
- security protocols that include policies and procedures that regulate how staff and others with access to personal information will access and handle that information.
The Privacy Commissioner will also consider an organisation’s particular circumstances when assessing whether it has taken ‘reasonable steps’ as required by NPP 4.1. This will include consideration of the organisation’s size, structure, activities, how it handles personal information, and the type of personal information it holds.
As part of the assessment of ‘reasonable steps’, the Privacy Commissioner will have regard to relevant international standards. In this regard, it is noted that AS/NZS ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management refers at clause 5.1.1 to the importance of developing an information security policy that reflects, among other things, the particular business risks that are present within that organisation. In addition, clause 5.1.2 of the standard states that information security policies should be regularly reviewed to ensure their ongoing ’suitability,...and effectiveness’. Further, clause 4.1 and 4.2 discuss the assessment and evaluation of business risks and mentions particularly that controls should be put in place to reduce risks taking into account the requirements and constraints of national and international legislation and regulations.
Different risks arise for individuals where their personal information is collected online in one jurisdiction, used in another and stored in another. Such is the case in terms of the Network Platform. The Privacy Commissioner is not seeking to prevent individuals from being offered products or services in such a way. However, where personal information is collected under this type of business structure, it is important that the additional risks for individuals are appropriately evaluated, managed and controlled.
While SCE Australia itself did not hold personal information relating to the Network Platform, the information provided to the OAIC by SCE Australia indicated that its related companies had a wide range of security safeguards in place to protect the personal information held at the time of the incident. These measures included:
- physical, network and communication security measures to protect the information collected and stored in connection with the Network Platform
- encryption of credit card information
- internal information technology security standards that are based on the international information security standard ISO/IEC 27001.
Despite these measures, the security of the Network Platform was compromised as a result of a targeted cyber-attack. In its response, SCE Australia advised that individuals’ name, address (city, state, zip/postal code), country, email address, date of birth, online ID and PSN/Qriocity password and login and possibly credit card data may have been accessed during the attack on the Network Platform. The fact that Sony Online Entertainment LLC was also affected by a similar attack demonstrates the targeted nature of the attack.
A targeted attack on an organisation does not necessarily mean that the organisation has failed to take ‘reasonable steps’ as required by NPP 4.1. Based on the information provided by SCE Australia to the Privacy Commissioner, including information about the range of security measures in place at the time of the incident, the Privacy Commissioner found that reasonable steps had been taken to protect the personal information held in relation to the Network Platform as required by NPP 4.1.
The investigation involved a review of the acts and practices of both SCE Australia and its related companies. As the incident occurred outside of Australia, the Privacy Act will only apply where the requirements of the extraterritorial application provisions in section 5B of the Act are met.
Section 5B of the Act prescribes that an act or practice engaged in outside Australia will be covered by the Act if that act or practice relates to personal information about an Australian citizen and the organisation responsible for that act or practice has an organisational or other link to Australia. Where an entity does not have an organisational link with Australia, the Act will only apply to the handling of personal information about Australian citizens where the organisation carries on a business in Australia, and the personal information was collected by, or held by the entity in Australia.
As the conduct in question both by SCE Australia and its related companies did not constitute a breach of the Act, the Privacy Commissioner was not required to come to a settled view on this issue.
Action taken following the cyber-attack
When Network Platform services were restored, a system software update was implemented for PlayStation 3 consoles that required all PlayStation 3 users to change their Network Platform passwords. To provide an added layer of security, it was only possible to change those passwords on the same PlayStation 3 on which the account was activated, or through validated email confirmation.
In addition to these steps, various new security measures have been implemented to protect the Network Platform including:
- additional data monitoring software and configuration management systems
- increased levels of data protection and encryption
- enhanced system monitoring, particular in terms of intrusions
- additional firewalls.
Sony Corporation has also recently hired a person to fill a newly created position of Chief Information Security Officer. This person has responsibility for information security within its corporate structure.
Notification of data breach incident
While the Privacy Commissioner found, based on the information provided by SCE Australia, that ‘reasonable steps’ had been taken to protect personal information at the time of the cyber-attack, the Privacy Commissioner was concerned about the period that elapsed between SCE Europe becoming aware of the incident and notifying consumers and the OAIC.
The OAIC’s Guide to handling personal information security breaches (Data Breach guidelines) advises agencies and organisations to consider the harm that could arise from a security breach when determining what steps to take, including whether to notify affected individuals. In particular, it sets out in detail the factors that should be taken into account when evaluating the risk of a breach as a way of assessing how the agency or organisation should respond. It also contains advice about the factors that should be taken into account when considering whether to notify affected individuals, such as the potential for serious harm to the individual.
Some information is more likely to cause an individual harm if it is compromised. For example, the loss of financial details such as credit card information can cause harm to individuals, directly through the loss of funds or indirectly in terms of the time and effort it takes to cancel and re-establish credit cards or other financial accounts. Further, encrypted information can still present risks for individuals as over time encryption algorithms may be broken. If an organisation cannot rule out the possibility that sensitive information of this type has been compromised, then timely notification would seem appropriate in the circumstances.
Immediate or early notification that financial details have been compromised can limit or prevent financial loss for individuals, by enabling them to re-establish the integrity of their personal information. Evidence shows it can be very difficult for individuals to re-establish the authenticity of their identity when their personal information has been stolen and used fraudulently.
The OAIC Data Breach guidelines do not stipulate a time period within which affected individuals should be notified of a data breach, what is appropriate can vary from one case to the next. In this case the Privacy Commissioner believes that affected individuals could have been notified earlier, rather than SCE Europe allowing seven days to elapse after discovering the cyber-attack had occurred. This delay may have increased the risk of a misuse of the individuals’ personal information.
Having considered all the information provided to the OAIC in relation to the incident, the Privacy Commissioner concluded that SCE Australia had not breached the Privacy Act, as it held no personal information relating to the incident. The Privacy Commissioner accepted, based on the information provided by SCE Australia, that personal information held by the related companies was not disclosed to an unauthorised party; rather the information was accessed as a result of a sophisticated security cyber-attack on the Network Platform’s systems.
Further, the Privacy Commissioner was satisfied that, at the time of the incident, it appeared that ‘reasonable steps’ had been taken in accordance with the requirement of the Privacy Act to ensure that customers’ personal information was secure and protected from misuse and loss, and from unauthorised access, modification and disclosure.
The Privacy Commissioner was also satisfied with how the incident was dealt with following the breach in terms of the extra security measures that have been implemented to help protect personal information.
For these reasons, the Privacy Commissioner ceased his own motion investigation into SCE Australia. However, given his concerns over the period that elapsed before Sony notified its customers, the Privacy Commissioner strongly recommended that Sony review how it applies the OAIC’s Guide to handling personal information security breaches.
While the incident did not constitute a breach of the Act, during the course of the investigation the Privacy Commissioner obtained information on the interrelationship of the various Sony entities involved in this matter. This information demonstrated the potential challenges for agencies regulating the flow of personal information where large global companies undertake different functions relating to the provision of services and products, including the collection of personal information, while operating out of different jurisdictions.
In recognition of this the Privacy Commissioner will provide a copy of this report to privacy regulators in the APEC member economies, for their consideration.
 Under s40(2) of the Privacy Act, the Commissioner may investigate an act or practice if:
- the act or practice may be an interference with the privacy of an individual, and
- the Commissioner thinks it desirable that the act or practice be investigated.
 ’PlayStation privacy breach: 77 million customer accounts exposed’ Sydney Morning Herald (online) 27 April 2011, www.smh.com.au/digital-life/games/playstation-privacy-breach-77-million-customer-accounts-exposed-20110427-1dvhf.html.
 Guidelines to the National Privacy Principles, 23.
 Section 5B(2) defines an organisational link with Australia. It includes Australian citizens, a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; a partnership formed in Australia or an external Territory; a trust created in Australia, body corporates incorporated in Australia, and unincorporated association with its central management and control in Australia.
 See s 5B(3) of the Privacy Act. Some factors that may be relevant to establishing an organisational or other link to Australia include that the organisation in question carries on a business in Australia or an external Territory, and the degree of control that an overseas corporation is entitled to exercise, and does exercise, over the running of the business conducted by any subsidiary or representative in Australia.
 Guide to handling personal information security breaches [PDF], August 2008, http://www.privacy.gov.au/materials/types/download/8628/6478