The Privacy Commissioner has cleared Sony of wrongdoing after finding the company's security was up to scratch when its PlayStation service was hacked in April.
Commissioner Timothy Pilgrim asked Sony for details of its security architecture to ascertain whether the hack of Sony had broken local laws, despite its infrastructure being located outside of Australia. 77 million user records were compromised during the two day outage, including some 1.6 million Australian accounts.
The investigation concluded there was sufficient infrastructure in place to protect the records and cleared Sony of wrongdoing.
The finding was thought to be based on information provided by Sony Computer Entertainment Australia to the Office of the Australian Information Commissioner (OAIC), according to comments by a internal spokesperson to this website.
This could not be validated with Pilgrim by the time of publication.
Sony would have breached the Australian Privacy Act if it had inappropriately disclosed customer information to a third party, or did not adequately protect data, the OAIC said.
“The evidence showed that no personal information was disclosed to unauthorised parties; rather the information was accessed as a result of a sophisticated security cyber-attack against the network platform,” the investigation's report said.
The report assessed the hacked security infrastructure against two National Privacy Principles.
The first, 2.1, stated that personal information could only be used or disclosed “for the primary purpose for which it was collected”.
The second, 4.1, stated that organisations must “take reasonable steps” to protect personal information from “misuse and loss and from unauthorised access, modification or disclosure”.
Australia's privacy guidelines do not contain deadlines for companies to inform customers when their information had been compromised, though the office found Sony's week-long wait before it informed customers was too long.
Pilgrim said Sony's Australian chapters should have quickly notified local customers of the hack instead of waiting for the delayed notification from Europe.
“This delay may have increased the risk of a misuse of the individuals' personal information,” he said.
“The Privacy Commissioner strongly recommended that Sony review how it applies the OAIC's guide to handling personal information security breaches.”