Data-security research firm suggests PSN breach could cost Sony over $24 billion

Wednesday, 27th April 2011 16:28 GMT By Stephany Nunneley

The Ponemon Institute, a data-security research firm, has estimated that the total cost of research by Sony over the PSN breach could cost the firm over $24 billion.

According to the security firm, speaking with Forbes, the cost associated with a firm investigating a malicious or criminal act averages out to around $318 record using 2010 figures.

Once you include the 77 million registered PSN accounts, that sum could go over the $24 billion mark.

According to Sony figures, PSN users are present in 59 countries, and 36 million of those are in the US and South America. Europe has over 32 million registered PSN accounts, and Asia 9 million -the majority of which are in Japan.

“Simply put, [this is] one of the worst breaches we’ve seen in several years,” added Josh Shaul, chief technology officer for Application Security Inc., who believes Sony may not know just yet which files were accessed.

Sony admitted it was a possibility that purchase history and credit card address information could be stolen, but theft of the card’s 3-digit security code on the back could not be gathered from PSN.

“They indicated that they’re worried about it, which is probably a very strong indication that everything was stolen,” Shaul added.

Over in the UK, ICO is currently investigating whether Sony was unaware there was a possibility of a breach of personal information, and if so, the firm could impose a fine on the console maker of around £500,000.



  1. Razor


    #1 4 years ago
  2. cloud_ix

    i no understand

    #2 4 years ago
  3. ManuOtaku

    Well the M and The B are to close on the keyboard maybe there was a finger mistake i hope, that is way too much

    #3 4 years ago
  4. NiceFellow

    I feel pretty confident Sony won’t be spending 24 billion on this. Hundreds of millions? Maybe. Billions. No way that makes sense.

    #4 4 years ago
  5. Erthazus

    If this is going to be true and they are going to pay 24 billion… I must say that Playstation will never exist and maybe even Sony.

    I’m sorry. THIS shit is just SUPER serious.

    #5 4 years ago
  6. Phoenixblight


    #6 4 years ago
  7. Erthazus

    Hah… Imagine if sony will pay 24 billion…

    You should prepare to say goodbye to the “Playstation” brand :D

    #7 4 years ago
  8. Syrok

    24 billion? Does the whole of Sony even make that much money in a year? :)

    #8 4 years ago
  9. Stephany Nunneley

    Surely the independent security firm Sony used cut them a deal after the first 2 million :)

    #9 4 years ago
  10. FadeLive

    Creditcard breach confirmed:

    Run it through google translate from Norwegian to English. A person got charged 11 times by Sony for buying stuff on PSN he didn’t buy.

    So happy that I didn’t add my credit card to my Playstation account. Sucks for everybody that has gotten compromised.

    #10 4 years ago
  11. Erthazus

    @8, of course not :D

    @10, thats bullshit. Everyone from the internet can write this up.

    #11 4 years ago
  12. Stephany Nunneley

    @10 I got charged three times for the same movie last year. Sony didn’t give me my money back, I said forget you then, cancel my account.

    #12 4 years ago
  13. ManuOtaku

    Seeing the numbers involve and if they end being true, i think now i know who just did hack the PSN….. the same independent security firm sony is using, damn those smart guys, i wish i came up with the idea

    #13 4 years ago
  14. Jaxel

    That is some of the worst and most bullshit math I’ve ever seen coming from a so called “legitimate” security firm. Yeah, a security breach may cost $318 to investigate, but Sony is not going to investigate it as 77 million separate security breach instances.

    #14 4 years ago
  15. ManuOtaku

    #14 i think that depends on the objectives regarding this investigation maybe they stop with an X amount of accounts, till they find what they want, but maybe they dont know at which amount, but like i said that depends on the goals of this

    #15 4 years ago
  16. Phoenixblight


    I know right? They are just going to look at the system as a whole its our responsibility to keep watch on our info.

    #16 4 years ago
  17. Mystic Sage

    That seems a bit excessive for what Sony needs them to do but however much it is they need to pay up because they need to look into each users account information and see if anything was stolen so they can notify those users and steps can be taken to protect themselves.

    #17 4 years ago
  18. Phoenixblight


    No not really they will look into the system as a whole and see what areas were breached and compromised and then send a mass email to everyone that may have been affected.

    Who ever did the math just did 318$ x 77000000 which comes to 24 billion which is just wrong, very wrong.

    #18 4 years ago
  19. Razor


    #19 4 years ago
  20. ManuOtaku

    I dont think they are trying to find the accounts that are being damaged, i think maybe is a possibility they are trying to find which was the account used to spread the hack.

    #20 4 years ago
  21. DrDamn

    I also demand they spend the same amount on investigating my bogus other country accounts (including my Beverly Hills pad in LA (only zip code I knew off the top of my head) and my pad in Tokyo at 1 Osaka Rd. Who ever actually buys this data is gonna be a bit hacked off that well over 50% of the accounts are actually dodgy ones :-).

    That’s not actually confirmed though is it? It’s suspicious but how were there purchases on or about the 26th of April when everything was offline for nearly a week. Looks more like a charging cock-up.

    #21 4 years ago
  22. Patrick Garratt

    @19 – :D

    #22 4 years ago
  23. Zarckan

    @FadeLive I cry foul to that site… How can someone be charged BY Sony on the 26th when PSN is down.

    What security breach means is someone ELSE can use your details they got from Sony, NOT that your details get used ON Sony…

    dumb fuck!

    #23 4 years ago
  24. DrDamn

    *If* PSN was online couldn’t they hack into your account, change your email address and password and then buy stuff they want using that account? I agree the dates seem to discount the recent hack being the cause though, the evidence certainly doesn’t confirm anything by itself though.

    #24 4 years ago
  25. Phoenixblight


    *If* PSN was online couldn’t they hack into your account, change your email address and password and then buy stuff they want using that account?

    Well Sony sends you an email to the original account telling you your info has changed. Then you can call the bank or CC company and tell them to block whatever charges that happen upon that date and ask them for a new card.

    #25 4 years ago
  26. Mondayding

    I’ve never heard such rubbish. 24 billion dollars? Not going to happen. Oh yes, lets spend more than we’ve got investigating something so that we end up going out of business. I don’t think so.

    Next story please.

    #26 4 years ago
  27. metamorphic

    Pokemon Institute, lol? *snickers in the back*

    #27 4 years ago
  28. lexph3re

    Its awfully funny hearing some people say they can’t do anything about bad charges to their account. I had got charged twice for a movie and a game before. All I did was go to the bank filled out a alpadavid(had to spell it how it sounds) and my funds were restored. If you didn’t get a refund for bad charges it because you didn’t really want your money back

    #28 4 years ago
  29. Phoenixblight


    #29 4 years ago
  30. darksied

    Seriously though, if anyone has any incorrect charges (which, the chances are small; without the ccv number on the back it’s hard to use your card), then the easiest thing to do is call up your credit card company. Call up Chase, BoA, CapitalOne, etc. They have systems in place to stop fraud, and it’s pretty easy actually to tell them that it’s a fraudulent purchase and they’ll clear it after a day or so. It’s pretty easy and it doesn’t require you to do anything except make a phone call. You don’t have to go to your bank and fill out forms, just call the number on the back of your card; EVERY credit card company has a fraud department, and just explained what happened.

    Of course, you can’t lie to them to try to get out of a purchase or something; they’ll find out (and woe to you).

    #30 4 years ago
  31. lexph3re

    Thank you so much pheonix. But yes that’s all you have to do is sign an >.> affidavit to your bank swearing you didn’t make the purchases. Then they refund and investigates if sony says you did and gives proof then they take the money back.

    #31 4 years ago
  32. NeoSquall

    Too bad my card holder, the italian postal service, doesn’t have any fraud watch and the only thing they hinted me to do is delete the old card and make a new one.

    I’d do it right away, if it wasn’t for:
    - the order for The Witcher 2 CE I made on TheHut, signed on that card
    - the order for the Red Dead Redemption GOTY Guide I made on TheHut, signed on that card
    - the order for Duke Nukem Forever: Balls of Steel (PC) I made on TheHut, signed on that card
    - the order for Brink: Special Edition I made on GAME UK, signed on that card
    - the order for L.A. Noire I made on GAME UK, signed on that card
    - the order for Deus Ex: Human Revolution – Augmented Editon (PC) I made on GAME UK (as a backup if I don’t want the CE on Amazon anymore), signed on that card.

    All these orders can’t have the card details changed, so if I delete the card I’m basically fucked.

    Also, today I found that my available balance is 1,13 euros LESS than my accounting balance. FUCK IT.

    #32 4 years ago
  33. ManuOtaku

    I am worried about the users account personal data issue , but the thing that strike me the most is that passwords could’ve been compromised too, according with sony statement. Passwords are never stored in readable text, and neither encrypted for that matter, for what i do understand they are hashed which makes them almost impossible to gather the original password from the hashed one. It doesn’t matter if you compromise the entire network, if you obtain the hashing formula, or any encryption key. Hashed passwords are nearly impossible to unhash, if they hackers did access this too, IMHO it will meant that the security level in PSN is beyond low.

    Another thing that iam worried if that the hack being used makes believe that the encryption used is part of sonys networks, the hackers can use the Credit Card information to purchase items on the store, make it believe it was sony system doings, i dont understand much of this but this wouldnt mean that the transactions will be harder to link and follow, i mean for the refound of the money with your credit card bank holder?

    #33 4 years ago
  34. NeoSquall

    As a rule of thumb, any order listed as “SONY ONLINE SERVICES INTERNET GBR” in your bank movements can be appealed until 1. you change your credit card or 2. Sony changes its online services handler.

    In second opinion, scratch point 1.

    #34 4 years ago
  35. blackdreamhunk

    them consoles are sure costing Sony a ton of money lol

    sorry I really dislike Sony and Microsoft. So when are those new consoles coming???

    #35 4 years ago
  36. MegaGeek1

    LOL @ that number

    77 million registered user accounts? I thought it was agreed that Sony has “shipped” maybe 50 Million PS3s? So each owner has 1.25 accounts?

    #36 4 years ago
  37. lexph3re

    You do know there are people with psp’s that can create psn accounts as well right?

    #37 4 years ago
  38. MegaGeek1


    I have 2 accounts also, one NA and one UK.. I just assumed majority of the users weren’t as hardcore as me about getting a demo 24 hours early.

    #38 4 years ago
  39. lexph3re

    I have 2 NA accounts myself but I also have friends with 2 accounts 1 Na another JPN. Then I have some friends who have psps and accounts with no ps3s. So I suspect there are plenty of others following suit

    #39 4 years ago
  40. loveaya

    This is a unfunny joke…Whether it’s true or not, we can say that SONY is in danger. Even if she could bring PSN back within 1 week, the next thing to do is deal with the problems she will be face to!

    #40 4 years ago
  41. dtyk

    LOLL BP didn’t pay that much after murdering millions of little sea animals and Sony is expected to pay this for pissing off GeoHotz… ohhh man this world is officially upside down.

    They’ll never pay that much. Couple hundred million maybe but 24 billion? Whoever wrote this is out of their mind.

    #41 4 years ago
  42. hitnrun

    The $24 billion number is probably nonsense. (Even in today’s dollars :P) That figure was probably arrived at by the same kind of professional alarmists who determine that piracy “costs” the industry $10bn a year by estimating the downloaders on BitTorrent and multiplying by $60.

    But it certainly will reach into the billions.

    As an aside, people saying it’s no big deal because the security codes couldn’t have been stolen are dead wrong. Many merchants don’t use the code. I worked at a CS/fulfillment center just last year where…well, you would probably be better off not knowing. Let’s just say everything except the 15-16 digit card number is negotiable, depending on your issuing bank.

    #42 4 years ago
  43. NightCrawler1970

    Hopefully Sony should open there F*cking eyes and realize that CC is not the only way to buy shit on PSN… and will accept member + by prepay, without shitting, if ya membership almost expire “WE will charge you by credit card to renew it”… for now on, PRE-PAY!!!!!! same as Xbox Live..

    Ya Expired, than buy a pre-pay live card to get online again….
    It will save a whole lot that $24 Billion smackaroos for laywers and that poor ass worn out stinky Hillbilly thats lives in the bush named “alabama man”…. who knows now, he can trade in his worn out Ford 350 model 1975 for a brand new Ford 750 heavy duty 4×4 V10 Diesel..

    #43 4 years ago

Comments are now closed on this article.