As Sony Corp. released more details about what it calls a "highly sophisticated criminal cyber attack" that compromised the personal information of millions of its PlayStation online gamers, Canada's Privacy Commissioner added her name to a list of the company's critics.
Privacy Commissioner Jennifer Stoddart used a speech Wednesday to chastise Sony for failing to inform her office about its massive breach. And she called for new powers to level "significant, attention-getting fines" on companies whose lax data security results in privacy breaches.
"I was very disappointed that Sony did not pro-actively notify my office of the breach," Ms. Stoddart said, according to the text of a speech she delivered in Stratford, Ont., that was posted on her website. "However, since my office contacted Sony, the company has been very co-operative."
Canada's privacy legislation does not require companies to notify the commissioner, or even customers, in the case of an information leak. Proposed legislation that was before Parliament prior to the election would have changed this.
In the face of what she called an "alarming trend towards ever-bigger data breaches," Ms. Stoddart said she now plans to ask Industry Canada to rewrite that proposed legislation to give her the power to impose fines - powers that privacy officials have in Britain and France.
"Too many companies are collecting more personal information that they are able to effectively protect," Ms. Stoddart said.
Her comments come as Sony faces multiple investigations and legal battles after two massive data-security breaches that have left the personal information of more than 100 million customers in the hands of unknown hackers and forced the shutdown of its PlayStation and Qriocity online entertainment networks.
Some customers have accused Sony of waiting too long to warn them that their personal data, including passwords, phone numbers, e-mail addresses and birth dates - and possibly credit card and bank account information - could be in the hands of hackers.
The company now faces potential class-action lawsuits from angry customers demanding hundreds of millions in compensation, including one filed this week in Toronto.
More details about the attacks emerged in a letter submitted Wednesday to a subcommittee of the U.S. House of Representatives by Kazuo Hirai, chairman of the board of Sony Computer Entertainment America LLC. Sony submitted the letter instead of having an executive testify at a hearing on cyber attacks.
Mr. Hirai blames earlier "denial of service" attacks by the hacker group known as "Anonymous" for allowing other hackers, possibly in a co-ordinated assault, to get at the private data of its customers. Anonymous, he writes, targeted Sony as "a protest against Sony for exercising its rights in a civil action in United States District Court in San Francisco against a hacker."
In the letter, Sony acknowledges first discovering "unauthorized activity" on its computer system on April 19, and it shut down its PlayStation network the next day. While security teams worked to trace the breach, Sony did not call in the Federal Bureau of Investigation until April 22, or inform the 77 million affected customers their data may have been compromised until April 26. A second attack, affecting another 25 million customers, was discovered May 1.
Addressing critics who say Sony dragged its heels, Mr. Hirai said the company was doing its best to deal with a complex and hard-to-trace cyber attack: "The truth is that retracing the steps of experienced cyber attackers is a highly complex process that takes time to carry out effectively."
Ashley Beaulac, a spokeswoman for Sony Computer Entertainment Canada, said the company would not comment on the data breach or the lawsuits beyond the information for users it has already posted on the Internet.