MyCRA Specialist Credit Repair Lawyers

Tag: Timothy Pilgrim

  • Telstra’s security slip-up was a breach of the Privacy Act

    Back in December 2011 a customer discovered the identity details of 734,000 Telstra Australia customers had been exposed to possible identity theft and misuse by being easily accessible through a Google search. The Privacy Commissioner, Timothy Pilgrim immediately stepped in to investigate. After a 6 month-long investigation, Mr Pilgrim and the Australian Communications and Media Authority (ACMA) has found Telstra has breached both the Privacy Act, and the Telecommunications Consumer Protections Code. We look at how this occurred, and what the implications could be for Telstra, and for you and your credit file.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    In the New Year, we reported on this massive privacy issue, which affected more than 700,000 customers, including myself in our post Telstra’s at it again. And this time it may affect YOU. Here is an excerpt from the December 12 media release:

    The Sydney Morning Herald reported on Friday a user of the Whirlpool forum stumbled upon the “Telstra bundles request search” page after doing a Google search for a Telstra customer support phone number they were told to contact.

    SMH reported the information of any Telstra customer was searchable even by last name, bringing up the customer’s account number, what broadband plan they were on, what other Telstra services they were signed up to and notes associated with the customers’ accounts including in many cases their usernames and passwords.

    There were also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.
    Telstra has reportedly reset approximately 60,000 customer passwords as a precaution (http://www.theaustralian.com.au/australian-it/telstra-customers-face-password-reset-after-privacy-breach/story-e6frgakx-1226219541766).

    Telstra bundle customer, Graham Doessel is one of those potentially at risk.

    He also happens to be the CEO of a company dealing in credit repair for people who have been unlawfully blacklisted from borrowing facilities. He says as much as 50% of his clientele who present with credit file errors and inconsistencies are Telco customers, and many of those are Telstra customers.

    “This data breach is a crucial example of how errors occur so easily in the Telco industry. Unfortunately they have the potential to severely damage someone’s financial future.”

    “Every day we deal with customers who can’t get a home loan, because their credit rating is damaged by improper execution of policies and procedures in the Telco industry,” Mr Doessel, of MyCRA Credit Repairs says.

    Mr Doessel is concerned he is amongst those Telstra customers whose personally identifiable information may have been viewed, and copied for purposes of fraud during the time the information was readily available on the internet.

    “The issue is about both our possible stolen passwords, and our possible stolen personal details – a huge commodity for fraudsters. What’s to say fraudsters haven’t jumped on the internet while this information has been available and copied it?”

    “Personal details are the building blocks for constructing a fake identity. Once someone has fake ID documents, they can take out significant amounts of credit in the victim’s name. Often people don’t find out about it straight away and that can result in defaults from creditors and massive long term credit issues,” he says.

    Outcome of the investigation

    Mr Pilgrim found in his investigation that a number of internal errors occurred in the lead up to the incident in December 2011.

    “I found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra’s reporting, monitoring and accountability systems”, Mr Pilgrim said in a statement to the media.

    “Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken”.

    “The failure by Telstra to correctly categorise the database project in its design phase as one involving customer data meant that the database did not receive the appropriate level of protection from the very beginning”.

    The Commissioner found Telstra to be in breach of two National Privacy Principles under the Privacy Act 1988:
    •National Privacy Principle 2.1 (Use and disclosure)
    •National Privacy Principle 4.1 (Data security)

    Mr Pilgrim warned businesses of the importance of conducting a Privacy Impact Assessment (or PIA) when commencing new projects.

    “Build your privacy in at the beginning, don’t bolt it on as an afterthought. All businesses should conduct a PIA to make sure that potential privacy risks are considered at the start of any project and that risk mitigation strategies are put in place”.

    Implications for Telstra

    Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future. The Commissioner closed the investigation after reviewing the remediation plans Telstra has in place.

    In ceasing his investigation into the matter, the Commissioner asked Telstra to provide him with a report on the progress of the remediation project by October 2012. He also asked Telstra to provide to him with a report on the completion of the remediation project by April 2013.

    No penalties enforced

    Mr Pilgrim said The Privacy Act does not give him the power to impose any penalties or seek enforceable undertakings from organisations he has investigated on his own initiative. However, he did say the privacy law reforms that are currently before Parliament – the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 will provide him with additional powers and remedies when conducting such investigations in the future.

    The Sydney Morning Herald reported in its article Telstra’s 734,000 account privacy blunder breached multiple laws: regulators that Telstra appears to have escaped financial or other penalties for now, which has angered consumer groups.

    “We strongly believe the ACMA needs stronger enforcement powers for the Code to be effective,” said Elise Davidson of the Australian Communications Consumer Action Network.

    “The ACMA is currently considering a new draft of the TCP Code but – regardless of what’s in it – without effective enforcement, telecommunication providers can continue to seriously breach their obligations without fear of any fines or sanctions from the regulator.”

    And Yet Still More Data Exposed

    Even before the deliverance of the Privacy Commissioner’s finding on the account scandal, Telstra has also been embroiled in another data scandal involving the tracking of its customer’s internet data useage. The ABC reports in its article Telstra accused of tracking Next G internet use:

    Telstra has been accused of tracking the internet use of its Next G mobile phone users and sending their internet history to a company in the United States.

    One of the telco’s customers discovered that when he visited a website using his Next G network in Australia, a server in the United States would visit the same address almost instantly.

    Telstra says it is collecting the information for use in a new internet filter product, but internet users are outraged and are demanding the Australian Privacy Commissioner investigate.

    For an update to how this particular breach occurred, and what has been discovered so far, check out the IT News article Telstra: Oh what a tangled web we weave written yesterday.

     

    Perhaps not Telstra’s finest hour on Privacy Issues, nor Australia’s finest hour on Privacy Law.

    How To Protect Your Credit File After a Data Breach

    Whilst there have been no official reports of any identity theft cases from this particular security breach, we look at what you should if you find yourself in this situation in the future, with any company that holds your personal information.

    1. Change passwords. Even if Telstra hasn’t advised you otherwise, go in and change your password. If you have that same password for unrelated accounts, change that as well.
    2. Check your credit file. Obtain a free copy of your credit file and check there is nothing suspicious already present on your credit file.
    If you see suspicious activity on your credit file, or your credit accounts….
    3. Alert your Creditors you may be at risk of identity theft. This will allow them to ‘flag’ your accounts and halt any suspicious activity.
    4. Alert credit reporting agencies. They can put an alert on your credit file which informs you of any changes to contact details, or suspicious credit enquiries you may not have initiated.
    5. Consider making a complaint to the Privacy Commissioner. If you firmly believe you have been a victim of identity theft through a company data breach or breach of personal information, you should visit the Privacy Commissioner’s website to determine if you have a valid complaint to make, and how to go about making it. http://www.privacy.gov.au/complaints.
    6. If your credit file has been damaged, get help to repair it. If you have been exposed to identity theft, and you have credit listings which should not be there, contact a professional credit repairer, who can talk to you about clearing your bad credit and recovering your good name.

    Image: Stuart Miles / www.FreeDigitalPhotos.net

     

     

  • Privacy Protection set to be heightened under Australian Law

    Big changes are coming for Australian privacy rights and laws governing the use of personal information. The Australian Government has announced it will make the first set of changes to the Privacy Act 1988 in the Winter sitting of Parliament. The announcement came yesterday from Attorney-General Nicola Roxon, who intentionally announced the changes to coincide with Australia’s Privacy Awareness Week.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    The Attorney-General said in her statement that Australia’s privacy laws will be reformed to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.

    The Attorney explained that key changes to benefit consumers are:

    • clearer and tighter regulation of the use of personal information for direct marketing
    • extending privacy protections to unsolicited information
    • making it easier for consumers to access and correct information held about them
    • tightening the rules on sending personal information outside Australia
    • enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance

    These changes are part of a long consultation process coming out of recommendations made within the Australian Law Reform Commission’s report For your information: Australian Privacy Law and Practice.

    The changes will include new powers for the Privacy Commissioner to enforce privacy laws. Commissioner Timothy Pilgrim said in a statement to the media these changes were a significant step forward and will allow him to better resolve privacy investigations more effectively.

    “The strengthening of these powers also sends a strong message to government agencies and businesses covered by the Act that there can be significant consequences when personal information is not given an appropriate level of protection.”

    “These changes give me more options when undertaking an investigation on my initiative. At the moment I can only make a determination when I am investigating a complaint made by an individual,” Mr Pilgrim said.

    The powers of the Privacy Commissioner to investigate Privacy complaints has previously come under criticism, particularly following the well-publicised global Sony Data Breach in April 2011 which seemed to showcase the gaping hole in Australian Privacy Law at the time. The data breach left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.

    Criticism was sparked by the Commissioner’s lack of powers to make determinations following any investigation, and also Australia’s absence of mandatory data breach notification law. It was well publicised that Sony took over a week to notify it’s customers of the data breach, in the process potentially exposing customers to identity theft and credit file fraud.

    A recent survey conducted by the University of Canberra and eBay Australia found that Australian internet users were highly concerned about identity theft and wanted government to order businesses to notify users of online data breaches.

    The survey, reported in CIO Magazine Call for mandatory data breach notification grows: Survey found 85 per cent of 700 Australian participants want data breach notifications to become mandatory. Here is an excerpt from that story:

    In addition, 86 per cent of respondents cited identity theft as their greatest privacy concern, while 83 per cent mentioned financial data loss as their biggest concern.

    The survey also found that the financial sector was the most trusted when it came to privacy (42 per cent).

    Social media was the least trusted industry on privacy with only 1 per cent of respondents saying they trusted websites such as Facebook. Sixty-one per cent of Australians surveyed nominated the social media industry as having the worst privacy practices.

    Privacy Commissioner, Timothy Pilgrim, said that the high level of support for mandatory data breach notifications is not surprising given significant data breaches over the past year such as the Sony PlayStation Network compromise.

    “Incidents are on the rise as weaknesses become apparent in business systems at the same time as hackers become more sophisticated,” he said in a statement.

    “I encourage businesses to look at our guide which not only outlines how to respond to a breach, but also how to avoid a breach in the first place by focusing on the security of their systems,” Pilgrim said.

    Other privacy law reform changes will include the introduction of a set of Australian Privacy Principles, and importantly, changes to credit reporting law.

    Some changes Attorney-General Nicola Roxon chose to highlight in her statement yesterday include:

    • making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings
    • making it easier for individuals to access and correct their credit reporting information
    • prohibiting the collection of credit reporting information about children
    • simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.

    We will be watching with intense interest at how the whole barrage of changes around credit reporting could possibly impact consumers and their credit files. The above four recommendations would be a great improvement as currently consumers can experience difficulty when disputing entries on their credit reports.

    MyCRA is proud to be a Partner for Privacy Awareness Week 2012.

  • Privacy Commissioner reports data breaches on the rise

    As part of Privacy Awareness Week 2012, over 180 business leaders met in Sydney this week to discuss the topic of data breaches. Data breaches can occur through lost or stolen laptops, portable storage devices and paper records, or through databases being ‘hacked’ into or organisations mistakenly providing information to the wrong person. The effects of data breaches can be theft of identity and potentially credit fraud leading to bad credit history for the victim. The Privacy Commissioner claims there is in effect one data breach a week in Australia – an increase of 27 per cent from last year.

    This is an excerpt from Privacy Commissioner Timothy Pilgrims statement to the media on Monday on data breaches in Australia:

    “The Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches in the last financial year, equivalent to a data breach a week. This is up from 44 in the previous year, an increase of 27 per cent,” Mr Pilgrim said.

    However, the Privacy Commissioner also noted that he opened a further 59 investigations into other breaches where he wasn’t notified of the incident.

    “Serious harm can befall people when the security of their personal information is compromised”, Mr Pilgrim said. “It is our view that whenever there is a real risk of serious harm, affected individuals should be notified.”

    …Data breach notification is not a mandatory obligation applying generally to government and business in Australia. However, there is increased pressure on the Government to introduce laws to make it a general legal requirement as it is elsewhere — data breach notification is already a mandatory requirement in Europe, the UK and the United States….

    The Privacy Commissioner warned that in some circumstances, it may be a breach of the Privacy Act not to notify as organisations covered by the Privacy Act must take reasonable steps to protect the information they hold.

    For businesses who would like a reference for guidelines on handling personal information security breaches, the OAIC has released this document:

    Data breach notification: A guide to handling personal information security breaches. It outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.

    Personal information has become a valuable commodity used to commit identity fraud and potentially ruin the victim’s financial future.

    We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.

    Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

    Data breaches are difficult for individuals to have any control over, and the only way people can ensure their details are safe are to demand that the companies they deal with have strong IT systems before disclosing that information.

    The Australian Crime Commission’s Identity Crime report advises consumers on ways they can protect their personal information. They advise all individuals to obtain a copy of their credit report annually in order to keep abreast with any changes to their credit file which may point to identity theft.

    This could detect suspicious entries such as new credit enquiries or changes in contact details which would point to an identity theft attempt, allowing steps to be taken before the fraud affects the person’s good credit rating.

    If a person may be vulnerable to identity theft through a data breach, they should check their credit file immediately, and also contact Police who will advise them on the best course of action to take to restore their accounts and potentially their good name. This could include applying for a Victims of Commonwealth Identity Crime Certificate – which covers particular Commonwealth Identity Crime and can aid in recovery.

    If people need help to prepare a case to creditors for default removal following identity theft, it may help to contact a reputable credit repair company.

    Image above: David Castillo Dominici/ FreeDigitalPhotos.net

    MyCRA Credit Rating Repairs is proud to be a partner for Privacy Awareness Week 2012.

  • MyCRA Partners Privacy Awareness Week 2012

    MyCRA Credit Rating Repairs is proud to be a Privacy Awareness Week (PAW) Partner for 2012 which runs 29 April to 5 May.  The team at MyCRA hope we can help educate more people on Privacy Issues this week and in doing so reduce the numbers of identity theft cases in Australia. Privacy of your personal information is crucial to prevent identity theft and subsequent credit fraud. This week, through information provided by the Office of the Australian Information Commissioner (OAIC) and also through our own information, we want to help clarify how Privacy (or lack of it) can affect your credit file and promote safety of your valuable personal information.

    This post features a newsletter titled “Privacy It’s All About You” provided by the OAIC which will clarify the origins of PAW and the importance of Privacy in your business, your life and for maintaining your good credit history. Please find full newsletter below:

    Privacy: it’s all about you

    Privacy Awareness Week (29 April – 5 May) is an annual event during which the Asia Pacific Privacy Authorities join forces to remind everyone to take steps to protect their own privacy and safeguard personal information about others that they might hold.

    “Privacy is recognised in many countries, including Australia, as a human right,” says Privacy Commissioner Timothy Pilgrim. “Serious consequences can arise when someone’s privacy is breached and we all have responsibilities to look after the personal information we handle.”

    Organisations and government agencies covered by the Privacy Act must meet responsibilities when collecting, using and disclosing personal information. This includes giving sufficient notice about why personal information is being collected and how it will be used and disclosed.

    Businesses covered by the Privacy Act are subject to ten National Privacy Principles or NPPs while most Australian, ACT and Norfolk Island government agencies must comply with eleven Information Privacy Principles or IPPs.

    Quick privacy tips for business and government agencies:

    • Don’t collect personal information that is unnecessary for your business
    • If you do need to collect people’s personal information, tell them why you are doing this, what the information will be used    for and how long it will be kept
    • Make it clear who will have access to that personal information, including any third parties
    • Take steps to destroy or de-identify personal information that is no longer required, subject to other record keeping    requirements.

    What about you?

    When it comes to protecting your own information, Mr Pilgrim is urging all Australians to be increasingly more vigilant about protecting their information.

    “You really need to pay attention to what information you are sharing and how it may be used, particularly online and when using smartphones, where personal information is routinely collected and stored by any number of entities.”

    Mr Pilgrim says people tend not to think about what information they are giving away or what will happen to it, especially as they make quick transactions online.

    Know what’s going on

    When your online search history is aggregated with other information you may have shared online, a detailed picture emerges that could compromise your privacy.

    Most search engines today track and store details about your browsing habits to help guide you to the information you are seeking. But Mr Pilgrim says that many of us remain unaware of how this happens or where our information may end up.

    “Find out how your information is being used by checking the privacy policy of the search engines you use.  If you want more control, look for options that allow you to prevent aggregation and keep information you post across various accounts separate.”

    Different search engines operate in different ways.  So if you are unhappy with the way your information is being used by one provider, consider using another.

    “I’d encourage people to always use the provider that offers them most control about how their personal information is used,” Mr Pilgrim added.

    Similar issues apply to apps: when you download them, you usually agree to your personal information being collected in some way.

    “Next time you decide to download an app, take a moment to look at the terms and conditions that set out what you are signing up for, what type of information the app developer is collecting and how it will be used.”

    While these kinds of details can be buried in the fine print, Mr Pilgrim says it’s worth making the effort to know and understand what you are agreeing to so your information is not used in unexpected ways.

    “Just as in the real world, if you want to safeguard your privacy, you need to pay attention to what information you are handing over and ask companies what they are doing with it.”

    Find out more at www.privacyawarenessweek.org/oaic

    Stay tuned for more information on Privacy, your personal information and your credit file.

    If you think you may be a victim of identity theft, firstly contact Police who will assist you.

    If identity theft has affected your credit file (credit fraud) and you need help with removing negative listings such as defaults and clearouts which should not be there, it might be helpful to contact a credit rating repairer to go through your options for credit rating repair.

    Graham Doessel, Founder and CEO of My CRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    Image: suphakit73 / FreeDigitalPhotos.net

  • Telstra’s at it again. And this time it may affect YOU.

    Your credit file could be affected by errors in the telecommunications industry…here is a media release we sent out last month about a significant data breach which occured with Telstra’s customer files. We are eager to see what the Privacy Commissioner’s findings will be on this incident.

    Media Release

    12 December 2011

    A massive data breach of Telstra’s customer database has potentially put around 800,000 of its customers at grave risk of having their passwords stolen and their personal information pilfered by identity thieves.

    The data breach which occurred last Friday, saw detailed personal information which was supposed to be available to Telstra customer service agents only, exposed and openly accessible on the internet.

    The Sydney Morning Herald reported on Friday a user of the Whirlpool forum stumbled upon the “Telstra bundles request search” page after doing a Google search for a Telstra customer support phone number they were told to contact.[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][i]

    SMH reported the information of any Telstra customer was searchable even by last name, bringing up the customer’s account number, what broadband plan they were on, what other Telstra services they were signed up to and notes associated with the customers’ accounts including in many cases their usernames and passwords.

    There were also other details about technician visits, SMS messages sent to private mobile numbers and credit check details.

    Telstra has reportedly reset approximately 60,000 customer passwords as a precaution.[ii]

    Telstra bundle customer, Graham Doessel is one of those potentially at risk.

    He also happens to be the CEO of a company dealing in credit repair for people who have been unlawfully blacklisted from borrowing facilities. He says as much as 50% of his clientele who present with credit file errors and inconsistencies are Telco customers, and many of those are Telstra customers.

    “This data breach is a crucial example of how errors occur so easily in the Telco industry. Unfortunately they have the potential to severely damage someone’s financial future.”

    “Every day we deal with customers who can’t get a home loan, because their credit rating is damaged by improper execution of policies and procedures in the Telco industry,” Mr Doessel, of MyCRA Credit Repairs says.

    Mr Doessel is concerned he is amongst those Telstra customers whose personally identifiable information may have been viewed, and copied for purposes of fraud during the time the information was readily available on the internet.

    “The issue is about both our possible stolen passwords, and our possible stolen personal details – a huge commodity for fraudsters. What’s to say fraudsters haven’t jumped on the internet while this information has been available and copied it?”

    “Personal details are the building blocks for constructing a fake identity. Once someone has fake ID documents, they can take out significant amounts of credit in the victim’s name. Often people don’t find out about it straight away and that can result in defaults from creditors and massive long term credit issues,” he says.

    Mr Doessel recommends anyone who feels they may be at risk by this data breach take a few precautionary steps to ensure their credit file is protected:

    1. Change passwords. Even if Telstra hasn’t advised you otherwise, go in and change your password. If you have that same password for unrelated accounts, change that as well.

    2. Contact creditors and advise them you may be at risk of identity theft. This will allow them to ‘flag’ your accounts and halt any suspicious activity.

    3. Check your credit file. Obtain a free copy of your credit file and check there is nothing suspicious already present on your credit file.

    4. Alert credit reporting agencies. They can put an alert on your credit file which informs you of any changes to contact details, or suspicious credit enquiries you may not have initiated.

    The Privacy Commissioner, Timothy Pilgrim made a statement yesterday:

    “I have opened a formal investigation into the Telstra data breach. At a briefing today Telstra has assured our office that the immediate problem has been rectified and that personal data is no longer accessible.

    I have asked that Telstra also provide me with a detailed written report on the incident, including how it occurred, what information, if any, was compromised and what steps they have taken to prevent a reoccurrence. I will consider all the information provided by Telstra and hope to be in a position to issue an investigation report in late January 2012,” Mr Pilgrim says.

    It is uncertain exactly what and or how much the Privacy Commissioner could determine Telstra would be liable for.

    A recent decision handed down by the Privacy Commissioner only last week, saw one individual complainant awarded $7500 in compensation after a Leagues Club was found to have breached their privacy.[iii]

    This is not the first time a major data breach has occurred with Telstra. In October 2010, a mailing error saw around 60,000 letters containing personal customer information sent to other customers.

    The Privacy Commissioner found the privacy of Telstra customers was only breached in 2010 due to human error, and did not occur due to any systemic failure of Telstra’s processes or procedures, therefore they were not required to pay damages in this instance.[iv]

    /ENDS.

    Please contact:

    Lisa Brewster – Media Relations media@mycra.com.au

    Graham Doessel – Director info@mycra.com.au

    http://www.mycra.com.au/ 246 Stafford Road, STAFFORD QLD. Ph: 07 3124 7133 www.fixmybadcredit.com.au

    MyCRA Credit Repairs is Australia’s leader in credit rating repairs. We permanently remove defaults from credit files.

    [/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

  • Privacy Commissioner casts final verdict on Sony data breach

    It seems that there will be no reprisal according to Australian law for the victims of the Sony PlayStation/Qriocity saga which left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.

    Australian Privacy Commissioner Timothy Pilgrim released his official report last Thursday on his investigation into Sony Australia’s possible breach of the Privacy Act.

    His investigation found that Sony did not breach Australia’s Privacy Act when it fell victim to a cyber-attack.

    The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Principles require organisations to take reasonable steps to protect personal information, and limit the circumstances in which organisations can use and disclose personal information.

    “I found no evidence that Sony intentionally disclosed any personal information to a third party.  Rather, its Network Platform was hacked into. I also found that Sony took reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place,” Mr Pilgrim said.

    Mr Pilgrim was concerned about the time that elapsed between Sony becoming aware of the incident and notifying its Australian customers and the OAIC. There was a gap of a week between the data breach and the notification. However, the Privacy Act does not contain a deadline for data breach notification – so this failure to notify does not classify as a breach of privacy.

    “I would have liked to have seen Sony act more swiftly to let its customers know about this incident. Immediate or early notification of a data breach can allow individuals to take steps to mitigate the risks that arise from their information being compromised,” Mr Pilgrim said.

    “However, I am pleased that in response to this incident, Sony has now implemented extra security measures to strengthen protections around the Network Platform.”

    During the investigation, the Privacy Commissioner examined information pertaining to relationships between the various Sony entities involved in this matter.

    “The international nature of these relationships raises challenges for regulators monitoring personal information flows in these kinds of situations where large global companies are collecting personal information while operating in a number of different jurisdictions.”

    In recognition of this, the Privacy Commissioner will provide a copy of his investigation report to privacy regulators in APEC member economies for their consideration.

    The Privacy Commissioner can only investigate what is in the bounds of the Australia’s Privacy Act to investigate – and here we get to the real problem.

    Unfortunately our Privacy Laws don’t extend to mandatory data breach notification. So the Privacy Commissioner was unable to investigate what many agree was the real issue – why Sony took a week to notify its millions of customers their personal information – including credit card details had been compromised.

    The entire saga and this subsequent investigation has served to highlight a massive hole in Australia’s privacy laws which are leaving people open to this kind of breach of security with no retribution via our Government policy.

    As we advised at the time of the data breach, it is important for anyone who has had their personal details compromised in this way to be on the  lookout for possible misuse of their credit file.

    Often people don’t know they have been victims of identity theft until they attempt to obtain credit and are refused, due to defaults on their credit report they are unaware of.

    It is recommended that everyone check their credit file for free every year from Australia’s credit reporting agencies. For people who have been the victim of a data breach and other people vulnerable to identity theft, it might pay to include a separate credit file monitoring service. For instance Veda Advantage will (for a fee) monitor people’s credit files and alert the credit file holder to any changes or entries on their credit file – including credit enquiries.

    If people need help with credit rating repair following identity theft, they can contact MyCRA Credit Repairs toll free within Australia on 1300 667 218.

    Image: Arvind Balaraman / FreeDigitalPhotos.net