[LINK] OAIC's Investigation of the Sony Break-In

Roger Clarke Roger.Clarke at xamax.com.au
Wed May 4 17:21:36 AEST 2011 

At 15:25 +1000 4/5/11, OAICnet wrote:
>Statement on the OAIC’s investigation into the Sony data breach
>Statement: 
>http://www.oaic.gov.au/news/statements/statement_investigation_into_Sony_data_breach.html

>Investigation into Sony data breach
>Statement from Australian Privacy Commissioner, Timothy Pilgrim
>On 26 April, I opened an own motion investigation into the Sony 
>Playstation Network in response to reports that hackers may have 
>stolen the personal data, including credit card details, of users. 
>Sony later contacted my Office to confirm that the incident had 
>occurred. This investigation is ongoing.
>On the same day I sent Sony a formal letter asking them a series of 
>questions, including:
>-   exactly what personal information was compromised by the hacker, and
>-   what security measures it had in place at the time of the 
>incident to ensure that information was secure. I also asked
>-   whether, in hindsight, it considers these steps were reasonable 
>measures to take to protect its customers' personal information from 
>unauthorised access and disclosure.
>I am expecting a response from Sony by 13 May 2011.


No questions appear to have been asked about:
-   how did the personal information come to be accessed, and in 
particular what vulnerability was exploited
-   what security measures had been expected to protect against that 
kind of attack
-   on what basis were those security measures decided upon, e.g. 
what form of risk assessment and risk management procedures did the 
company apply
-   how do the security measures that were in place line up against 
industry standards
-   what further or changed measures are being applied as a result of 
the manifest inadequacy of the measures that were in place at the time

Questions like that might be asked in a second round.  It may be much 
easier to frame the second round of questions once the first round 
has been answered.

But if all that the PC'er does is ask a small sub-set of the 
substantial set of questions that arise from the event, is the public 
interest really being adequately served?

Note that, on previous form, the PC'er will refuse to publish any 
meaningful information about the outcomes of the investigation;  so 
we may or may not ever know the full set of questions asked, let 
alone the answers provided.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list