The Australian federal government will introduce laws forcing companies to disclose privacy breaches after Sony revealed that more than 1.5 million Australian user accounts were compromised in the recent attack on its PlayStation Network.
The stolen information include names, addresses, birthdays, email addresses and log-in passwords. Of the 1,560,791 Australian accounts that were affected, 280,000 had credit card details, but these were encrypted and there had been no reports of fraudulent activity, Sony said.
The Privacy Minister, Brendan O'Connor, said he was ''very concerned'' about the theft of personal information and expressed disappointment that Sony took ''several days'' to inform customers about the breach. This meant a mandatory ''data breach notification'' system now ''appears necessary'', he said.
However, the government is yet to say when such laws would be introduced. Mr O'Connor said the mandatory disclosure laws would be considered as part of the government's response to the remaining 98 recommendations stemming from the Australian Law Reform Commission's review into privacy.
''Sony isn't alone. We've seen serious privacy-related incidents in recent months involving other large companies,'' Mr O'Connor said, referring to incidents involving Dell Australia and Telstra. ''All companies that collect customers' personal information must ensure that the information is safe and secure from misuse.''
The Australian Privacy Commissioner, Timothy Pilgrim, is investigating the Sony incident and said yesterday he was awaiting responses to a series of questions he raised with Sony in a letter on April 26. Sony has been given until ''mid-next week'' to respond.
''I have asked Sony to tell me what security measures it had in place at the time of the incident to ensure its customers' personal information was secure and whether, in hindsight, it considers these steps were reasonable measures to take to protect its customers' personal information from unauthorised access and disclosure,'' said Pilgrim.
Sony executives apologised for the security breach at the weekend and promised to improve security and compensate users with free access to the PlayStation Network.
''We deeply apologise for the inconvenience we have caused,'' said Kazuo Hirai, chief of Sony's PlayStation video game unit, who was among the three executives who bowed for several seconds at the company's Tokyo headquarters in a traditional Japanese apology.
''This criminal act against our network had a significant impact not only on our consumers, but our entire industry.''
Sony Australia said it believed there was no truth in reports that lists had been offered for sale.
Despite these assurances more reports have surfaced from PlayStation users claiming fraudulent use of their credit cards, including a flight booked in Germany and purchases in Japanese grocery stores.
The executive director of the University of NSW's Cyberspace Law and Policy Centre, David Vaile, said the incident was a ''chilling example'' of the dangers of companies storing so much personal information on centralised online servers.
Sign up for CIO Asia eNewsletters.