This was due to customers' personal data, at the time of the incident, being stored in a data centre in San Diego, California.

"The Privacy Commissioner accepted, based on the information provided by SCE Australia, that personal information held by the related companies was not disclosed to an unauthorised party; rather the information was accessed as a result of a sophisticated security cyber attack on the Network Platform's systems," the report reads.

The report said the Privacy Commissioner was also satisfied with how Sony Australia implemented additional security measures to help protect personal information following the data breach.

"For these reasons, the Privacy Commissioner ceased his own motion investigation into SCE Australia," the report reads.

"However, given his concerns over the period that elapsed before Sony notified its customers, the Privacy Commissioner strongly recommended that Sony review how it applies the OAIC's Guide to handling personal information security breaches."