Sony has found itself in a familiar head-line grabbing scenario. With the ink barely dry on the $15 million settlement of a class action brought following the 2011 Sony PlayStation data breach, this time Sony Pictures Entertainment, the TV and movie arm of Sony has suffered a cyber attack from a hacking group known as “Guardians of Peace”.
In late November the hacking group infiltrated Sony’s internal network, stole data, hijacked company twitter accounts, defaced its websites and disabled the corporate email system. There are reports that during the attack the hackers also destroyed data on Sony’s servers.
The vast amount of data stolen and later leaked on peer-to-peer file sharing websites includes:
- five unreleased movies;
- files containing details of 47,000 employees including names, dates of birth, social security numbers, home addressees, salaries, medical records and performance reviews;
- files containing credit card numbers, passwords and identity documents;
- outlook mailboxes;
- sales data and information on planned movie and TV productions; and
- IT data including security IDs, authentication details, vendor passwords, how to access various servers, master asset lists and the location of databases and servers.
This data is still available for download on file sharing websites. As well as including valuable corporate and confidential information and Sony’s intellectual property, the data stolen and leaked included personal information of Sony’s employees including its executives and actors.
Gossip websites are having a field day, analysing the leaked data and reporting the salaries of various actors, directors and producers.
The ramifications for Sony are colossal. Sony admits the full extent of the data breach is not yet known. Along with significant reputational damage, Sony will incur significant costs to investigate the data breach, remedy its IT system, legal fees and class action lawsuits.
On 15 December 2014, current and former Sony employees filed a class action against Sony alleging that Sony failed to protect their personal information. The damage bill from the 2011 worldwide data breach incident of Sony PlayStation, which resulted in the disclosure of 77 million user accounts, names and credit card details, is still fresh in the minds of Sony executives. Sony estimated the costs to remedy the 2011 worldwide data breach incident was at least $171 million.
Sony has labeled the cyber attacks as “malicious criminal acts” and a “brazen attack on our company, our employees and our business partners”. However Sony’s data security practices are under the spotlight following the data loss.
It has been reported that much of the leaked personal information of employees was stored in excel files which were not encrypted or password protected. There are also reports that thousands of passwords for computer and social media accounts were stored in a folder labeled “Password”.
PERSONAL INFORMATION MUST BE PROTECTED
Sony’s misfortune is a timely reminder for all Australian organisations to consider their own responsibilities in respect of data security and the storage of personal information.
In the Australian context, these data storage practices would not meet the requirements of APP11 of the Australian Privacy Principles made under the Privacy Act 1988 (Cth). APP11 requires an organisation to take steps to ensure the security of personal information that it holds, and to protect the information from:
- misuse, interference and loss; and
- unauthorised access, modification or disclosure.
The OAIC’s Data Breach Notification Guide provides that security safeguards need to be implemented for physical records, computers, networks and communications. The Guidelines recommend organisations implement technologies to secure personal information such as multi-factor authentication, strong access controls and robust encryption, and separating the internal IT network into multiple functional segments.
The OAIC’s Guide to Information Security also details the steps organisations should implement to protect personal information. A handy one-page summary is available here. A revised version of this Guide was released for public consultation earlier this year, and an updated version should be released shortly.
Although Australia does not yet have a mandatory requirement to notify affected individuals and regulators of data breaches, any delay or failure to notify affected individuals that a data breach incident has occurred will be one of the factors considered by the Privacy Commissioner to determine whether the organisation has taken reasonable steps to protect information under APP11.
Also, the Data Breach Notification Guide provides that reasonable steps to secure personal information under APP11 include ensuring that the organisation has a clearly documented and implemented data breach policy and response plan. Sony was widely criticised, including by the Australian Privacy Commissioner, for its delay in notifying users of the 2011 data breach.
TIME FOR A NEW YEAR'S RESOLUTION?
The most recent Sony data breach incident is a reminder of the importance of robust security systems and protocols to store information (including personal information). Perhaps a prudent New Year’s resolution for your organisation is to:
- conduct a wholesale IT security audit and governance review to test IT security vulnerabilities;
- ensure staff training programs are implemented and data breach response plans are documented; and
- otherwise adopt a “privacy by design” approach which assesses privacy implications at the outset of a project that involves any change to the way personal information is collected, used, disclosed, stored or destroyed or de-identified.