Sony breach worsens as privacy commissioner begins investigation

The Sony PlayStation Network debacle has continued to worsen, with the company revealing that some of the data accessed by hackers was not encrypted and that it took one week for it to notify users of the breach.

The Australian privacy commissioner has also begun an investigation into Sony Australia, saying that companies handling sensitive data need to ensure that their customers’ information is protected and that notification is made immediately.

“I am very concerned by news reports that hackers have stolen data from users of the Sony PlayStation Network,” privacy commissioner Timothy Pilgrim said in a statement.

“Our office is contacting Sony seeking further information about this matter and we will be opening our own investigation.”

While the PlayStation Network – which services over 70 million customers and over 700,000 in Australia – was brought down last week, it was only in the past few days that Sony confirmed a breach of the network had occurred.

But yesterday Sony revealed in a statement that while all its users’ credit card data is encrypted, some of its users’ personal information was not. “The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack,” it said.

Angry customers have begun to retaliate. One man in Alabama has launched a lawsuit alleging that Sony did not take sufficient steps to protect customer data and that it failed to implement a proper firewall.

The lawsuit also alleges that because Sony took several days to inform users of the attack, the risk was heightened that the data would be used by the hackers. Sony has defended this practice in its blog, saying it needed to take time to figure out what was going on.

Commissioner Pilgrim has already addressed this issue in a statement, saying informing customers “is an important step to mitigate any potential impact on individuals”.

The lawsuit claims, according to Computerworld, that as a result of wrongful acts and omissions, “consumers and merchants have been exposed to what is one of the largest compromises of internet security… in United States history”.

The whole situation raises serious questions for companies – both large and small – which handle customer data. It comes just weeks after customer credit card data held by cosmetics company Lush was taken by hackers, prompting the company to even warn consumers to block their cards.

The Privacy Act does not state that companies need to encrypt their data, but one of the National Privacy Principles does say that an organisation must take “reasonable steps” to protect personal information.

The office of the Privacy Commissioner has said that “reasonable steps” would depend on the sensitivity of the information held by the company.

AVG security expert Lloyd Borrett says while he is unaware of any legal requirement to encrypt data, companies working with credit card details need to ensure they are following the PCI compliance scheme.

One of the PCI compliance standards states that credit card data needs to be stored separately, and encrypted – a practice Sony claims it has fulfilled.

And while there have been preliminary media reports of some Sony customers finding unusual charges on their credit cards, Borrett says if the data was properly encrypted that most customers will be fine.

“I haven’t seen anything that confirms all 77 million records have been obtained. If the data was in an encrypted database, then it is unlikely they would be able to access it.”

“Sony appears to be making the right moves in this situation. They’ve sent out an email now, they’ve shut down the network, and are investigating the problem.”