The massive data breach that exposed information from more than 100 million PlayStation Network and Sony Online Entertainment user accounts may end up being the most expensive data breach of all time.
Sony, which announced on April 26 that information from 77 million PlayStation Network user accounts could have been stolen, added another 25 million compromised accounts to the list May 2. The newly added accounts are on its online multiplayer division, Sony Online Entertainment (SOE).
Hackers stole personal data, including credit and debit card information, in a complex attack that could cost Sony and credit card issuers $1 to $2 billion, experts say.
“This may be the mother of all data breaches at this point,” says Larry Ponemon, chairman of the Ponemon Institute, a research organization in Traverse City, Mich., that publishes an annual study on the cost of data breaches.
To date, the largest data breaches include up to 130 million credit card numbers stolen from Heartland Payment System in 2008, up to 100 million accounts from retailer TJX in 2005 and 2006, and more than 4.2 million credit and debit card number from the grocery chain Hannaford Bros. in 2008.
Mr. Ponemon thinks that the Sony data breach will be more expensive than previous hacks because PlayStation and Sony are household names whose reputations could suffer.
Sony announced on Monday that personal information from up to 24.6 million SOE user accounts could have been stolen, and that credit card, debit card, or bank account numbers were stolen from more than 20,000 users outside the US.
The information illegally obtained from the 24.6 million compromised accounts includes at least the following information:
- e-mail address
- birth date
- phone number
- login name
- hashed password
Mr. Ponemon says that Sony will pay “the lion’s share” of the costs involved with the data breach, but that banks and credit card issuers could incur some of the costs as well. Ponemon estimates that it could cost as much as $25 for an organization to issue a new credit or debit card to a user whose account has been compromised. Sony could choose to cover part or all of those costs right away, or the company will be at greater risk of lawsuits from banks and other credit-card issuers.
Each potentially compromised account could cost Sony between $10 and $100, or up to $1billion in all, in technical issues, extra communication, and credit-card services, says John Pescatore, an analyst at Gartner, Inc. However, he adds, “There’s usually not a customer loyalty issue” for retailers.
However, Ponemon says that consumers are more sensitive about privacy issues when it involves children or adolescents. Because the Sony data breach involves video game user accounts, young people’s information could have been compromised, which would be a bigger blow to Sony’s reputation and could increase sales for competitors in the short term, he says.
In addition to costs to Sony or credit card issuers, which Ponemon estimates would total up to $2 billion, customers and merchants could suffer, too. Customers whose debit card or bank account information was obtained are especially at risk.
“Debit card is in fact access to your banking account,” says Ponemon. “Any loss sustained on a debit card, in most cases, is not refundable to you.”
If a criminal does use a stolen credit card number to make a purchase, it is often merchants, not consumers or banks, that feel the brunt.
“The way credit cards works in the US everything rolls down hill and lands on the merchant,” says Mr. Pescatore.
The cyber attack was complex, and though Sony was targeted this time, its competitors will feel vulnerable, too, until the case is solved.
People should not keep their credit card or debit card numbers on file, Ponemon says, whether it's on a website or gaming console. People have a hard time thinking of gaming consoles as machines that carry the same privacy risks as computers connected to the Internet.
“In this mobile connected world, everything is connected,” says Ponemon. “Today it’s our PlayStation, tomorrow it might be our refrigerator or our washing machine.”