The Australian Privacy Commissioner has published the report of his own motion investigation under the Privacy Act 1988 (Cth) following media reports that an unauthorised person accessed personal information of approximately 77 million customers of the Sony PlayStation Network/Qriocity, including customers in Australia.

He found that Sony Computer Entertainment Australia (SCE Australia) did not breach the Privacy Act when it fell victim to a cyber-attack.

The investigation looked at whether Sony complied with the National Privacy Principles in the Privacy Act. The Privacy Commissioner found no evidence that Sony intentionally disclosed any personal information to a third party. Rather, its Network Platform was hacked into.He also found that Sony took reasonable steps to protect its customers’ personal information, including encrypting credit card information and ensuring that appropriate physical, network and communication security measures were in place.

While the Privacy Commissioner found no breach of the Privacy Act by SCE Australia, he was concerned about the time that elapsed between Sony becoming aware of the incident and notifying customers and the Office of the Australian Information Commissioner.