In its into the hacking and possible breach of the Privacy Act, the office said that while the Privacy Commissioner found -- albeit based on information provided by SCE Australia -- 'reasonable steps' were taken to protect personal information at the time, the elapsed time between SCE Europe becoming aware of the incident and notifying consumers and the Office of the Australian Information Commissioner was too long.

"In this case, the Privacy Commissioner believes that affected individuals could have been notified earlier, rather than SCE Europe allowing seven days to elapse after discovering the cyber attack had occurred," the report reads.

"This delay may have increased the risk of a misuse of the individuals' personal information."

It is estimated that as many as 100 million users of the PlayStation system and Sony's Qriocity film and music network worldwide were affected by the data breach.

Detailing the investigation into possible breaches of the Privacy Act, the office said the Privacy Commissioner had concluded that SCE Australia had not breached the act, as it "held no personal information relating to the incident".