The controversy over the Sony PlayStation network debacle has continued, with the international tech giant revealing that it has suffered yet another breach, potentially compromising the data of thousands of customers.
The new announcement comes as home affairs minister Brendan O’Conner has warned that privacy laws could be changed as a result of the breach, and could potentially force companies to disclose when they suffer an attack.
O’Conner has said that as a result of the breach, which compromised the data of over 70 million customers, he was “very concerned” about the state of digital security in Australia. He also said he was disappointed Sony took several days to tell customers that a breach had occurred.
As a result, O’Conner told Fairfax this means a “data breach notification” type of system “appears necessary”.
The minister’s office was contacted for comment this morning, but no reply was available before publication.
Meanwhile, overnight Sony announced that in connection with the outage of its Sony Online Entertainment services, a new cyber-attack was discovered. This attack – which is separate to the breach which occurred nearly two weeks ago – saw hackers gain access to an out-dated database.
About 12,700 non-US customer credit or debit card numbers have been accessed, although not the security numbers associated with those cards, while bank account numbers have also been accessed of customers in European countries.
“There is no evidence that our main credit card database was compromised. It is in a completely separate and secured environment,” it said.
The second breach is a significant embarrassment for the company, considering the ongoing investigation into the initial breach, and customers are growing frustrated as they are unable to access some of their favourite online services.
Symantec head of small and medium business in the Pacific region Steve Martin says a mandatory reporting system described by O’Conner is already being considered by the Australian Law Reform Commission, and that there is a call in the tech community for such a move.
“The Australian Law Reform Commission a couple of years ago submitted some amendments to Parliament, and they are currently sitting with the Government and are up for review.”
“In those proposed amendments are clauses and phrases that discuss mandatory loss disclosure. Currently, we have voluntary guidelines, but people are not choosing to disclose.”
Martin says there is certainly a desire within the ALRC to introduce a type of system that would make disclosure mandatory.
“That means if an organisation suffers a data loss, then they have a requirement to disclose that data loss and the appropriate legislators.”
However, Martin acknowledges there are several complications within such legislation that would need to be addressed, such as identifying the type of data being breached and the extent to which the company has gone to protect that data.
“Nobody wants to be on the front page of the paper, and certainly not for the wrong reasons. But it does bring to front of mind the importance of providing the right level of protection that you’re a custodian of.”
The Sony issue certainly highlights the need for companies to go above and beyond the call of duty when protecting user data.
The international tech giant has been called for the US congress to testify, while the Australian privacy commissioner has begun its own investigation.
But as O’Conner has warned, the issue lies not just with Sony.
”Sony isn’t alone. We’ve seen serious privacy-related incidents in recent months involving other large companies,” he told Fairfax.
This is supported by a new report released by security firm AVG yesterday, which shows there has been major growth in campaigns exploiting Facebook users, along with an increase in risk for smartphone users.
”All companies that collect customers’ personal information must ensure that the information is safe and secure from misuse,” O’Conner says.
Martin agrees, and says the issue serves as a warning for businesses collecting personal information – especially if future legislation will require businesses disclose whenever their personal data has been breached.
“Perhaps that will help organisations mandate the right type of technology approaches for their company, the right types of protection they use and so on.”
Martin says each organisation needs to identify on its own what type of confidential data it holds. While this may not necessarily be credit card data, it may be architectural drawings, memos, or other types of documents that contain banking or financial information.
He recommends businesses contact the privacy commissioner in order to determine what privacy guidelines they should follow.
“The privacy commissioner is a great way to start and get a feeling for what’s going on, and how they can identify personal information.”
“Good businesses identify what information they have, and then figure out an appropriate way of guarding it. That could be encrypting it, ensuring it can’t be stolen in some form, etc.”
“This is important, because a breach of confidential information for a small business could endanger the very life of that business.”