But Sony Computer Entertainment Australia did not act quickly enough to inform customers of PSN and Qriocity data breaches Sony Computer Entertainment Australia should have acted more quickly to notify customers of the data breach from the hacking of the PlayStation Network and Qriocity platforms in April, the office of the Australian Privacy Commissioner has said.In its report into the hacking and possible breach of the Privacy Act, the office said that while the Privacy Commissioner found — albeit based on information provided by SCE Australia — ‘reasonable steps’ were taken to protect personal information at the time, the elapsed time between SCE Europe becoming aware of the incident and notifying consumers and the Office of the Australian Information Commissioner was too long.“In this case, the Privacy Commissioner believes that affected individuals could have been notified earlier, rather than SCE Europe allowing seven days to elapse after discovering the cyber attack had occurred,” the report reads.“This delay may have increased the risk of a misuse of the individuals’ personal information.” It is estimated that as many as 100 million users of the PlayStation system and Sony’s Qriocity film and music network worldwide were affected by the data breach.Detailing the investigation into possible breaches of the Privacy Act, the office said the Privacy Commissioner had concluded that SCE Australia had not breached the act, as it “held no personal information relating to the incident”. This was due to customers’ personal data, at the time of the incident, being stored in a data centre in San Diego, California.“The Privacy Commissioner accepted, based on the information provided by SCE Australia, that personal information held by the related companies was not disclosed to an unauthorised party; rather the information was accessed as a result of a sophisticated security cyber attack on the Network Platform’s systems,” the report reads.The report said the Privacy Commissioner was also satisfied with how Sony Australia implemented additional security measures to help protect personal information following the data breach.“For these reasons, the Privacy Commissioner ceased his own motion investigation into SCE Australia,” the report reads.“However, given his concerns over the period that elapsed before Sony notified its customers, the Privacy Commissioner strongly recommended that Sony review how it applies the OAIC’s Guide to handling personal information security breaches.”Follow Tim Lohman on Twitter: @Tlohman Follow Computerworld Australia on Twitter: @ComputerworldAU Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe