Sony has spent $171 million related to the data breach involving its PlayStation Network, Qriocity and other online properties, but the company is likely to spend a lot more in the quarters ahead if history is any guide.
The company previewed its net losses related to the Japan earthquake and tsunami as well as its data breach. Sony said 77 million records were compromised and the company took down the services for weeks.
As a result of the breach, which hasn't led to any personal identity theft to date, Sony's known costs for fiscal 2012 is 14 billion yen. That works out to $171 million. That sum goes to:
- Estimated costs related to identity theft protection;
- Welcome back program costs;
- Customer support;
- Network security enhancement tools;
- Legal and consulting costs;
- And the financial hit due to future lost revenue.
These amounts are our reasonable assumption based on the information currently available to Sony. So far, we have not received any confirmed reports of customer identity theft issues, nor confirmed any misuse of credit cards from the cyber-attack. Those are key variables, and if that changes, the costs could change. In addition, in connection with the data breach, class action lawsuits have been filed against Sony and certain of its subsidiaries and regulatory inquiries have begun; however, those are all at a preliminary stage, so we are not able to include the possible outcome of any of them in our results forecast for the fiscal year ending March 2012 at this moment.
Now $171 million sounds like a big number for an outage and breach just a month ago. But based on per record costs, Sony isn't even close to average. If the current expense estimate holds---highly unlikely---Sony will get by with a cost of $2.22 a record or so. Related: Sony’s uncomfortable security microscope will last for months
The catch is that the average data breach cost to respond rapidly is $268, according to Ponemon Institute's annual data breach cost report. If companies take longer to respond to data breaches they pay $174 a record. Most companies prefer to move faster. If Sony moved quickly---it did given that it shut down its network after the breach---total breach costs could handily top $20.6 billion. The low cost estimate for Sony would be $13.4 billion. The problem for Sony is that malicious attacks are the most expensive form of data breaches ($318 a record). Overall, the average data breach cost per record is $214 for 2010.
Those figures come from actual costs incurred by 51 organizations hit with a data breach. Ponemon's data counts "expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response" as well as the "economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn, rates."
Even if you assume Sony has no long-term fallout from its breach and only suffers direct costs, which averaged $73 per record, the company's expenses should be in the $5.6 billion range.
In other words, Sony's $171 million in data breach expenses is just a down payment.