Sony Pegs Initial Cyber-Attack Losses at $35 Million

Sony says that investigating the hack of its entertainment business unit is on track to cost $35 million by the end of March.

The attack on Sony Pictures Entertainment will cost consumer giant Sony an estimated $35 million in investigation and remediation fees through March 2015, the company told investors on Feb. 4.

During its third-quarter earnings announcement, Kenichiro Yoshida, Sony’s chief financial officer, told investors that it paid an estimated $15 million to investigate the cyber-attack and expects to pay another $20 million by the end of March. A Sony spokesperson confirmed the estimates, but declined to comment on whether the company expects additional costs.

Overall, the incident will have little impact on the bottom line of the consumer giant, which expects to produce more than $60 billion in revenue during its fiscal year ending March 31, 2015.

“Sony believes that the impact of the cyber-attack on its consolidated results for the fiscal year … will not be material,” the company said in its financial statement.

In the pantheon of cyber-attacks, Sony’s quoted damages are small. Other attacks have resulted in far greater business losses, but usually in conjunction with a breach of consumer data. The theft of credit-card and personal information from Target during the 2013 holidays, for example, cost the company more than $148 million. In September 2014, Home Depot acknowledged that 56 million consumer records were stolen from the company, and expected to pay at least $62 million to clean up the breach.

Yet the costs quoted by Sony are likely only a small fraction of the overall damages. In its 2014 Global Report on the Cost of Cyber Crime, the Ponemon Institute found that the investigation, incident response and management only accounted for a third of the costs of a breach, suggesting that the overall damages due to the breach could be closer to $100 million.

In addition, the failure to release The Interview in theaters has meant that the company will not be able to make back the estimated $75 million in production and marketing costs spent on the movie. While the comedic spoof is reportedly the most successful digital movie release, it had grossed just $15 million in December, according to Sony.

Yet, while the dollar amount lost by Sony may be small compared with other breaches, the impact on other businesses has been stark, Nat Kausik, CEO of breach-detection firm Bitglass, told eWEEK.

“The Sony breach has changed everything, in the sense that, prior to the Sony breach, the cost of a breach was purely material, in dollar terms,” Kausik said. “The Sony breach … truly affected the reputation of all the employees, especially the executive team. A period of their lives was laid bare to the public eye. The dollar terms no longer capture the damages.”

No wonder, then, that Sony and other major breaches in 2014 have given momentum to corporate security programs. More than 60 percent of IT and IT security people will see their budgets increase this year, by an average of 34 percent, according to another Ponemon Institute study. Most of the increased budget will be spent on technology to better detect breaches, respondents said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...