MyCRA Specialist Credit Repair Lawyers

Tag: Sony

  • Privacy Commissioner casts final verdict on Sony data breach

    It seems that there will be no reprisal according to Australian law for the victims of the Sony PlayStation/Qriocity saga which left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.

    Australian Privacy Commissioner Timothy Pilgrim released his official report last Thursday on his investigation into Sony Australia’s possible breach of the Privacy Act.

    His investigation found that Sony did not breach Australia’s Privacy Act when it fell victim to a cyber-attack.

    The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Principles require organisations to take reasonable steps to protect personal information, and limit the circumstances in which organisations can use and disclose personal information.

    “I found no evidence that Sony intentionally disclosed any personal information to a third party.  Rather, its Network Platform was hacked into. I also found that Sony took reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place,” Mr Pilgrim said.

    Mr Pilgrim was concerned about the time that elapsed between Sony becoming aware of the incident and notifying its Australian customers and the OAIC. There was a gap of a week between the data breach and the notification. However, the Privacy Act does not contain a deadline for data breach notification – so this failure to notify does not classify as a breach of privacy.

    “I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised,” Mr Pilgrim said.

    “However, I am pleased that in response to this incident, Sony has now implemented extra security measures to strengthen protections around the Network Platform.”

    During the investigation, the Privacy Commissioner examined information pertaining to relationships between the various Sony entities involved in this matter.

    “The international nature of these relationships raises challenges for regulators monitoring personal information flows in these kinds of situations where large global companies are collecting personal information while operating in a number of different jurisdictions.”

    In recognition of this, the Privacy Commissioner will provide a copy of his investigation report to privacy regulators in APEC member economies for their consideration.

    The Privacy Commissioner can only investigate what is in the bounds of the Australia’s Privacy Act to investigate – and here we get to the real problem.

    Unfortunately our Privacy Laws don’t extend to mandatory data breach notification. So the Privacy Commissioner was unable to investigate what many agree was the real issue – why Sony took a week to notify its millions of customers their personal information – including credit card details had been compromised.

    The entire saga and this subsequent investigation has served to highlight a massive hole in Australia’s privacy laws which are leaving people open to this kind of breach of security with no retribution via our Government policy.

    As we advised at the time of the data breach, it is important for anyone who has had their personal details compromised in this way to be on the  lookout for possible misuse of their credit file.

    Often people don’t know they have been victims of identity theft until they attempt to obtain credit and are refused, due to defaults on their credit report they are unaware of.

    It is recommended that everyone check their credit file for free every year from Australia’s credit reporting agencies. For people who have been the victim of a data breach and other people vulnerable to identity theft, it might pay to include a separate credit file monitoring service. For instance Veda Advantage will (for a fee) monitor people’s credit files and alert the credit file holder to any changes or entries on their credit file – including credit enquiries.

    If people need help with credit rating repair following identity theft, they can contact MyCRA Credit Repairs toll free within Australia on 1300 667 218.

    Image: Arvind Balaraman / FreeDigitalPhotos.net

     

     

  • Privacy Commissioner Investigates Sony Data Breach

    On April 27 I posted about the Sony PlayStation data breach which occurred on April 17 and has possibly affected PlayStation users worldwide.

    To update this issue, yesterday the Australian Privacy Commissioner, Timothy Pilgrim revealed findings from his initial investigation into the data breach:

    “Yesterday, Sony Online Entertainment (SOE) advised me it had discovered that hackers may have obtained SOE customer information. SOE has said that the information was held in an out dated database from 2007 and contained approximately 12,700 non-US customer credit or debit card numbers and expiration dates.  It is unclear at this point how many of these customers are Australian citizens or recipients.”

    Australian Victim Ot The Sony PlayStation Identity Theft Issue Lost $2000

     “This latest incident is extremely worrying. I am particularly concerned that it involves information stored on an out of date database. It reinforces my view that organisations need to consider further limiting the amount of information they collect and store about people. They should also make sure that information is destroyed when it is no longer needed as is required under the Privacy Act” he says.

    In my last post I called for Australia’s legislation to come up to date with what is occurring worldwide. Being part of the technological network means we are part of the global network and therefore we cannot deny that security threats in any country and particularly the United States could have an impact on us here in Australia as it has done in this instance.

    In fact, current statistics show that high-tech crime costs Australians $15billion per year, and the Australian Crime Commission now sites identity theft as the fastest growing crime in Australia.

    What is encouraging is the Australia Law Reform Commission’s recommendation that consideration should be given to the introduction of mandatory data breach notification laws. This means that when something of the nature of the Sony PlayStation data breach or the recent Dell Computers data breach occurs in the future, there will be an obligation for the company to notify its customers in this country of the occurrence.

    What is also being considered by the Government is more power for the Privacy Commissioner to impose penalties following an ‘own motion investigation’, such as enforceable undertakings and civil penalties for serious breaches of privacy. So if this part of the recommendations becomes legislation, the Privacy Commissioner would be able to penalise those companies which are found liable in relation to privacy breaches.

    In the meantime, Sony recommends its customers take these steps to help protect their personal data:

    “For your security, we encourage you to be especially aware of email, telephone, and postal mail scams that ask for personal or sensitive information. Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking.

    When the PlayStation Network and Qriocity services are fully restored, we strongly recommend that you log on and change your password. Additionally, if you use your PlayStation Network or Qriocity user name or password for other unrelated services or accounts, we strongly recommend that you change them, as well. To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports” says Sony’s Patrick Seybold.

    In Australia we can check our credit file for free by obtaining a credit report with credit reporting agencies Veda Advantage, Dun & Bradstreet or Tasmanian Collection Agency. A copy of our credit rating is then sent within 10 working days. Or for a fee they will supply one urgently.

    If there are any errors on this file, including evidence of identity theft, it is possible the credit file can be repaired.

    Contact www.mycra.com.au for more information.