Sony has spent US$171 million related to the data breach involving its PlayStation Network (PSN), Qriocity and its other online properties, but the company is likely to spend a lot more in the quarters ahead, if history is any guide.
Average data breach costs according to the Ponemon Institute. Click for larger image. (Credit: Ponemon Institute)
The company yesterday previewed its net losses related to the Japan earthquake and tsunami as well as its data breach. Sony said that 77 million records were compromised, and the company took down the services for weeks.
As a result of the breach, which hasn't led to any personal identity theft to date, Sony's known costs for fiscal 2012 is ¥14 billion. That works out to be US$171 million. That sum goes to:
- estimated costs related to identity theft protection;
- welcome back program costs;
- customer support;
- network security enhancement tools;
- legal and consulting costs; and
- the financial hit due to future lost revenue.
These amounts are our reasonable assumption based on the information currently available to Sony. So far, we have not received any confirmed reports of customer identity theft issues, nor confirmed any misuse of credit cards from the cyber attack. Those are key variables, and if that changes, the costs could change. In addition, in connection with the data breach, class action lawsuits have been filed against Sony and certain of its subsidiaries, and regulatory inquiries have begun; however, those are all at a preliminary stage, so we are not able to include the possible outcome of any of them in our results forecast for the fiscal year ending March 2012 at this moment.
US$171 million sounds like a big number for an outage and breach just a month ago, but based on per record costs, Sony isn't even close to average. If the current expense estimate holds, Sony will get by with a cost of US$2.22 per record or so.
The catch is that the average data breach cost to respond rapidly is US$268, according to Ponemon Institute's annual data breach cost report. If companies take longer to respond to data breaches, they pay US$174 per record. Most companies prefer to move faster. If Sony moved quickly, and it did, given that it shut down its network after the breach, total breach costs could handily top US$20.6 billion. The low-cost estimate for Sony would be US$13.4 billion. The problem for Sony is that malicious attacks are the most expensive form of data breaches (US$318 per record). Overall, the average data breach cost per record is US$214 for 2010.
Those figures come from actual costs incurred by 51 organisations hit with a data breach. Ponemon's data counts "expense outlays for detection, escalation, notification and after-the-fact (ex-post) response" as well as the "economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn, rates."
Even if you assume that Sony has no long-term fallout from its breach and only suffers direct costs, which averaged US$73 per record, the company's expenses should be in the US$5.6 billion range.
In other words, Sony's US$171 million in data breach expenses is just a down payment.
Via ZDNet US