Sony Corp., Japan’s largest consumer-electronics exporter, has been witnessing very troubled times in the recent past – first the impact of Japan’s earthquake and tsunami on their business, followed by the cyber-attack on the PlayStation Network and Qriocity systems two weeks ago, and the outage of services since the scale of the cyber-crime was realized by the company.
Sony’s stock fell by 4.5% to 2,211 yen, the lowest since March 15th, this earlier low a result of the overall Japan market fall because of the earthquake and tsunami.
In an open letter posted on the PlayStation Blog, Howard Stringer, President and CEO of Sony Corp., has apologized for the frustration brought on by the cyber-attack and related down-time to all PlayStation and Qriocity users, and has assured users that Sony is moving ahead with plans to help protect PSN customers from identity theft around the world with a $1 million identity theft insurance policy per user being launched soon.
What first appeared to be a persistent network outage, denying users access to Sony’s PlayStation Network, turned out to be way more than just an outage, and way worse, when Sony announced the security breach a couple of days after the continuing outage.
Sony Corp. was attacked by computer hackers between April 16 and April 19, but it was a couple of days before Sony made an announcement saying that the hackers had done off with personal data of 77 million PSN and Qriocity customers. This data included customer names, addresses, e-mail addresses, gender, birth dates, phone numbers, log-in names, and hashed passwords.
More bad news came by soon after, with the company announcing that the same breach had also compromised Sony Online Entertainment customers, with the number of hacked accounts having now been increased by the company to 101.6 million.
And while the company has repeatedly been saying that they have no evidence of their main credit card database having been breached, Sony did release a statement saying that an "outdated" database from 2007, consisting of credit and debit card numbers and expiration dates (but not credit card security codes) for about 12,700 non-U.S. customers, along with about 10,700 direct debit records listing bank account numbers of customers in Germany, Austria, the Netherlands, and Spain may have been stolen as part of the attack.
So, in addition to the company facing the wrath of millions of PSN, Qriocity and Sony Online Entertainment users, the few days Sony took to make this data-breach information public has also caused U.S Government official to unleash their rage at the Japanese electronics giant for not informing users sooner about the identity thefts that had taken place.
Reports say that Sony has been subpoenaed by New York in relation to these database breaches of its PlayStation Network.
As part of the assurance provided by Sony, Stringer’s letter posted on the PlayStation Blog announces a “Welcome Back” package to all PlayStation and Qriocity customers as soon as services for these two systems are back up.
Among other benefits, this package will include a month of free PlayStation Plus membership for all PSN customers, along with an extension of subscriptions for PlayStation Plus and Music Unlimited customers to make up for time lost.
Sony is also offering its PlayStation Network and Qriocity users a year of free identity-theft monitoring.
According to a blog post by Patrick Seybold, a spokesman for the Tokyo-based company’s video-games unit, Sony is in the final stages of testing the PS Network before restarting it.
How much did the breach cost Sony?
Millions of frustrated users, feeling vulnerable with the theft of information regarding their identity, but how much is this data breach likely to have cost Sony?
Market estimates currently oscillate between $20 million in lost revenues over a couple of weeks to $32 billion in terms of total costs involved in dealing with the consequences of losing control of customer data.
With annual revenue of Sony from PlayStation Network sales of downloadable games, movies, music etc being estimated at about $500 million, the two week outage would amount at around $20 million in terms of revenue over the two weeks. Add to this a 30% profit margin, i.e., this amounts to the loss of another $6 million in profit.
The Welcome Back package announced by Sony offers free membership credits etc., to compensate users for downtime, but does not really take into account financial compensations the company would need to make for personal data breaches, if Sony offered this to their customers.
Forbes has cited a study carried out by the Ponemon Institute, a data-security research firm, which estimates the per person cost for a data breach at $318. With over a 100 million users across all three services affected by the cyber-attack, personal compensation for all users whose personal data has been breached would mean almost another $32 billion.
And while Sony is unlikely to offer personal compensation, these numbers are a strong reminder of how dearly data breaches can cost a company.
image courtesy msnbc.msn.com