Sony's data breach costs likely to scream higher

Sony's data breach costs likely to scream higher

Summary: Sony has spent $171 million related to the data breach involving its PlayStation Network, Qriocity and other online properties, but the company is likely to spend a lot more in the quarters ahead if history is any guide.

TOPICS: Hardware, Security

Sony has spent $171 million related to the data breach involving its PlayStation Network, Qriocity and other online properties, but the company is likely to spend a lot more in the quarters ahead if history is any guide.

The company previewed its net losses related to the Japan earthquake and tsunami as well as its data breach. Sony said 77 million records were compromised and the company took down the services for weeks.

As a result of the breach, which hasn't led to any personal identity theft to date, Sony's known costs for fiscal 2012 is 14 billion yen. That works out to $171 million. That sum goes to:

  • Estimated costs related to identity theft protection;
  • Welcome back program costs;
  • Customer support;
  • Network security enhancement tools;
  • Legal and consulting costs;
  • And the financial hit due to future lost revenue.

Sony adds:

These amounts are our reasonable assumption based on the information currently available to Sony. So far, we have not received any confirmed reports of customer identity theft issues, nor confirmed any misuse of credit cards from the cyber-attack. Those are key variables, and if that changes, the costs could change. In addition, in connection with the data breach, class action lawsuits have been filed against Sony and certain of its subsidiaries and regulatory inquiries have begun; however, those are all at a preliminary stage, so we are not able to include the possible outcome of any of them in our results forecast for the fiscal year ending March 2012 at this moment.

Now $171 million sounds like a big number for an outage and breach just a month ago. But based on per record costs, Sony isn't even close to average. If the current expense estimate holds---highly unlikely---Sony will get by with a cost of $2.22 a record or so. Related: Sony’s uncomfortable security microscope will last for months

The catch is that the average data breach cost to respond rapidly is $268, according to Ponemon Institute's annual data breach cost report. If companies take longer to respond to data breaches they pay $174 a record. Most companies prefer to move faster. If Sony moved quickly---it did given that it shut down its network after the breach---total breach costs could handily top $20.6 billion. The low cost estimate for Sony would be $13.4 billion. The problem for Sony is that malicious attacks are the most expensive form of data breaches ($318 a record). Overall, the average data breach cost per record is $214 for 2010.

Those figures come from actual costs incurred by 51 organizations hit with a data breach. Ponemon's data counts "expense outlays for detection, escalation, notification, and after-the-fact (ex-post) response" as well as the "economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn, rates."

Even if you assume Sony has no long-term fallout from its breach and only suffers direct costs, which averaged $73 per record, the company's expenses should be in the $5.6 billion range.

In other words, Sony's $171 million in data breach expenses is just a down payment.

Topics: Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How about .....

    management time? It may not show up immediately as an accounting item, but fighting fires takes time away from other extremely important management issues and responsibilities.

    Not that I feel sorry for them.
  • RE: Sony's data breach costs likely to scream higher

    Never trust sony.
    • RE: Sony's data breach costs likely to scream higher

      @james347 So nice as well as precious thing to watch for everyone. I furthermore suggest you that
  • When you act like a schoolyard bully...

    You might have to face the consequences.

    Isn't karmic payback wonderful?
  • RE: Sony's data breach costs likely to scream higher

    The study really should have split out the costs into variable (per record) and fixed. Many security related costs must be paid whether you are securing 100,000 records or 100,000,000.

    Without knowing the average number of records per breach in the study and since Sony's breach was huge, I'd bet that using the cost/record numbers from this study would skew the estimate too high.

    Though I definately agree that Sony has lowballed it by a large ammount. I'm sure because the security breach coupled with the earthquake fallout would have sent their stock price plumetting.
  • RE: Sony's data breach costs likely to scream higher

    What is happening to Sony could happen to anyone. NOTHING is 100% secure. NOTHING.

    And if these costs are actually what Sony has to pay, then there will be no Sony. And as much as they have screwed up, so has Nintendo, so has Microsoft. Sony isn't some evil empire. They employee thousands and thousands of people around the world, they are responsible for much of the innovation in consumer electronics and video games. So, Sony deserved some mud in their face. That's been done and done again. But Sony isn't so bad that they deserve to go bankrupt.
    • Not really


      When you royally pi$$$$ off the hacker community, you are just picking a fight with the wrong group. Bully's usually pick on the weak end defenseless. In this case they picked on someone apparently a lot smarter than themselves.

      Stupid, VERY stupid.
      • RE: Sony's data breach costs likely to scream higher

        @Economister-Agreed. Coders built the internet (not Al Gore). They make the games, applications and OS's we all enjoy. You just DONT pizz these guys off. These events make clear what happens if you do. Sony STILL hasn't learned, as their sites around the world are still being hacked daily with the same SQL injection and url exploits.
        Tisk tisk Sony. Maybe shouldn't have been so heavy handed in your treatment of the modding/homebrew/cracker community. Somewhere, G. Hotz is laughing his a$$ off!
        Animus et Illuminat
      • RE: Sony's data breach costs likely to scream higher

        @Economister There's nothing wrong with taking a strong position and 'picking a fight.' The issue is whether you have something to back it up or not. Companies can't regulate, legislate, or sue their way out of this problem. The trouble is they brought a knife to a gun fight, and they were outgunned and definitely outnumbered.
    • RE: Sony's data breach costs likely to scream higher


      Let's count the issues...

      Yes, it COULD happen to anyone. The issue is that in the case of Sony, a lot of it had to do with improperly securing their customer database. It's gross negligence that makes a database find itself in such a position that 77 million records are transferred BEFORE the server is taken down.

      They may be responsible for some of the pioneering, but really, what did the PS3 bring to the table? a next-gen optical disc drive? Xbox 360 had an HD-DVD disc drive; it just lost the format war. PSN was an answer to Xbox Live, PS Move was their flavor of motion controls to compete with the Wii. Certainly there were aspects that were refined more than the others, and they did multimedia tasks better than the Xbox or Wii, but I'd credit them more for making optical media the standard with the PS1 and moving us away from cartridges than I would for anything that took place in the present generation.

      Conversely, Sony has had a history of being being anti-consumer in the lab and in the courtroom alike. In fairness, they did make a court precedent for timeshifting on Betamax so thanks for that, but they did give us Memory Stick, UMD, Minidisc, and a few other proprietary formats which escape my memory, which directly competed with more open, available, and less expensive industry standards for which they didn't have patents. They found themselves in the courtroom on account of the rootkit issue with their CDs, and they retroactively pulled out OtherOS from the PS3. PS2 backwards compatibility also depends on which model you have.

      Whatever happened, Sony was so unprepared for it that it took them a MONTH to get the system back up and running. Any system that requires a month of downtime to properly secure before being brought back up isn't something that can "happen to anyone", it's incompetence of an unacceptably appalling degree.

      I'll agree that perhaps Sony doesnt' deserve to go bankrupt...but they do deserve the first wave of this money come out of their executives' paychecks.

      • RE: Sony's data breach costs likely to scream higher

        @voyager529 Big thanks for your article, i found a little distinct viewpoint at
    • RE: Sony's data breach costs likely to scream higher

      @razumen-actually neither Nintendo or MS has ever had such a problem with tens of millions of user data records being stolen. Sure, they have been jailbroken and cracked, but nothing NEAR the magnitude of Sony's folly. These events are "unprecedented". Sony makes great products dont get me wrong, mostly hardware, but their software and particularly their network security leaves MUCH to be desired. And yes, if they cant learn from their mistakes, at the cost of their customers, then damn right they deserve to go bankrupt. When companies fail both their consumers and shareholders, they tend to do just that! If it were a bank and not a electronics/video game company, everyone would be screaming for their heads! But they'd prob just get bailed out anyways (at least if it were a US company).
      Animus et Illuminat
  • rofl

    Okay, this is just now getting to the borderline between funny and sad. I bet Sony is losing a lot of business over this. Speaking of funny...
    Poll: How many times will Sony get hacked?

  • LOL Looks like the bulleys are getting their payback

    This all started after Sony sued the kid who proofed their noobish claim of the PS3 being unhackable to be false.

    Gonna go grab some pop-corn and watch as karma keeps kicking the $s out of Sony's a$$