Financial analysts have estimated that Sony’s possible loss of account information may cost the company billions of dollars in damages.
Sony is not certain that personal credit card information was stolen but admitted such theft was a possibility, but even that may cost the company. The Ponemon Institute, a research firm that studied previous credit card hacks, estimated last year that data breaches involving a nefarious attack – which Sony admitted is the case here – cost an average of $318 per compromised record. With Sony’s PlayStation Network consisting of 77 million user-created accounts, it may possibly cost $24.5 billion for the company to clean up the mess. In addition, Sony may suffer penalties from governments across the globe for failing to protect consumers’ personal information, including a £500,000 fine from the U.K.
“Simply put, [the attack on Sony is] one of the worst breaches we’ve seen in several years,” said Josh Shaul from a company called Application Security that specializes in protecting databases like the one over which Sony lost control. Shaul believes that just the fact that Sony announced the loss of credit card information should cause some alarm.
“They indicated that they’re worried about it, which is probably a very strong indication that everything was stolen,” he said.
According to United Kingdom’s Data Protection Act, all companies that store personal information are required to keep it secret, keep it safe. A representative from the Information Commissioners Office said that even though Sony’s EULA attempts to cover them from that responsibility by stating, “We exclude all liability for loss of data or unauthorized access to your data,” such a “contract” might not hold up. It depends on whether the data was physically stored within the borders of the United Kingdom and how fast Sony is able to clean up its act.
“If the company is not compliant with the act within a certain time limit, further action would be taken and we might consider an enforcement notice or issue a monetary penalty,” the rep said. “For serious breaches of the act, we can issue a monetary penalty up to £500,000.”
Another legal expert, Jas Purewal from the GamerLaw blog in the UK, said that all of this is only possible if actual criminal acts can be proved to occur as a result of the breach. “However, it is important to remember that there is no evidence of such misuse of personal data at present. If an account compromise does not actually lead to misuse of such data, then any legal claim would be more difficult.”
Now, to be honest, I don’t really think that Sony is going to be $24 billion in the hole due to this breach, but it will certainly have an impact on both the future of its PlayStation Network and the viability of such a pervasive gaming network. Xbox Live and Steam might be unaffected now, but this attack on the PSN proves that such networks are vulnerable.
Also, what’s been lost in this whole mess is how the attack affects the little guys. The independent developers who sell their games exclusively from PSN haven’t made a dime in the last week, and probably won’t for a good long time as consumer confidence in the PSN will take a long time to return. Unless Sony bails them out, the devs behind games like Pixel Junk Shooter and Mod Nation Racers are screwed, and I think that’s the real tragedy here.