Limiting the impact of data breaches: The case of the Sony PlayStation Network
The seemingly unending stream of data breaches could be avoided or mitigated with a rigorous approach and a proactive process for risk management. Such an approach can make all the difference when senior management is called to account in the aftermath of a crisis.
Limiting the impact of data breaches The case of the Sony PlayStation Network
Chicago Mike Connolly Senior Partner +1-312-578-4580 mike.connolly @strategyand.pwc.com
Düsseldorf Jens Niebuhr Partner +49-211-3890-195 jens.niebuhr @strategyand.pwc.com
Frankfurt Rainer Bernnat Partner +49-69-97167-414 rainer.bernnat @strategyand.pwc.com
This report was originally published by Booz & Company in 2011.
Every company faces crises at one time or another. A few of them, especially so-called Black Swan events like the record-shattering Japanese earthquake of March 2011, are unavoidable. But others, including the seemingly unending stream of data breaches, could be avoided or mitigated with a rigorous approach and a proactive process for risk management. Such an approach can make all the difference when senior management is called to account in the aftermath of a crisis.
Sony’s back-to-back crises
Digital transformation can have a profoundly negative impact on a company when its risks are not managed properly. Consider the PlayStation Network (PSN) data breach disclosed by Sony Corporation in April 2011, and the events that have unfolded since. Described in the press as a “debacle,” “fiasco,” and “humiliation,” the breach clearly inflicted serious damage on Sony, especially in combination with the generally poor economic conditions globally and the other major crisis already under way in Japan at the time of the breach, resulting from the earthquake of March 11, 2011. That earthquake was the most powerful ever to hit Japan, and the fourth most powerful in the world since modern record keeping began in 1900. It struck 400 kilometers (248 miles) northeast of Sony’s Tokyo headquarters and triggered tsunami waves as large as 38 meters (124 feet) that traveled as far as 10 kilometers (six miles) inland. The earthquake caused the ongoing event (level 7, the highest on the International Nuclear and Radiological Event Scale) at the Fukushima I Nuclear Power Plant, and its overall cost is estimated to exceed US$200 billion, making it the most expensive natural disaster on record. Just over a month later, on April 20, 2011, a 14-year-old boy returned to his Chicago home after school expecting to join three friends online and play Might & Magic: Clash of Heroes (a fantasy adventure in which young people from different cultures band together to stop demons from taking over the world) on his Sony PlayStation 3. But the PSN service was down. Several days later, Sony explained that it had taken the network offline on purpose because of a massive data breach that eventually involved more than 100 million customer accounts. Though the Japanese earthquake and Sony’s data breach are certainly not comparable in terms of societal impact and suffering, they do provide a useful lesson in risk management and mitigation for companies with major positions in digital services and valuable information assets.
The Japanese earthquake and Sony’s data breach provide a useful lesson in risk management and mitigation.
The operational impact
Operations at several of Sony’s Japanese plants and facilities were affected by the March 11 earthquake. Widespread power outages caused the suspension of manufacturing operations at plants in Sony’s chemical, information, optical, semiconductor, and energy businesses. In addition, Sony’s Sendai Technology Center, in Tagajo, Miyagi, which took the full force of the tsunami, was badly damaged and remains closed. In contrast, the scope of the data breach was limited to one business unit, Sony Computer Entertainment, and the subscribers to its PlayStation Network, an online multiplayer gaming and digital media delivery service accessed through PlayStation 3 and PlayStation Portable video game consoles. Launched in November 2006, the service has approximately 77 million subscribers, primarily in the U.S. and Europe, and generates an estimated $500 million in annual revenue (just 0.6 percent of Sony’s total revenue in 2010). The data breach involved the personal information of PSN subscribers, including real names, addresses, PSN account logins and passwords, birthdays, and e-mail addresses. More seriously, it may have extended to profile data, purchase histories, billing addresses, and PSN password security answers. There is also concern that as many as 2.2 million credit card records might have been exposed, although this information was stored in encrypted format. The breach was detected by Sony on April 19, and the company shut down PSN the next day to stem additional losses and fully assess the scope of the incident. According to Sony, the outage prevented users from having the “ability to enjoy the services provided by PlayStation Network and [Sony’s video streaming service] Qriocity including online gaming and online access to music, movies, sports and TV shows.” On April 22, Sony confirmed that an “external intrusion” had occurred. On April 26, it disclosed that account information of all 77 million PSN subscribers had been breached. A few weeks later, Sony discovered that a further 24.6 million Sony Online Entertainment accounts had also been exposed during the breach.
Assessing the costs
In late April, Sony announced that the 10th and final plant affected by the earthquake would resume production by the end of May. The cost of the earthquake, according to Sony, was $475 million in fiscal 2011 and will approach $1.8 billion in fiscal 2012. In contrast, Sony has not yet been able to calculate the full cost of the data breach. The company initially estimated the cost at $171 million in fiscal 2012, including lost business and response costs such as identifying and repairing the breach and notifying subscribers. But Sony hastened to add that this figure did not account for costs related to class action lawsuits by customers (at least two of which are already under way), customer identity theft, and credit card theft. External estimates, which include these potential future costs and losses in market capitalization, are much higher. For example, the most widely recognized industry standard for evaluating such events, the Ponemon Institute’s annual “Cost of a Data Breach” report, estimates that the PSN breach could eventually cost Sony as much as $24.5 billion. The actual cost will likely lie somewhere between the two estimates. Another way to effectively measure and compare the potential impacts of these two crises is to analyze their effects on Sony’s share price on the Tokyo Stock Exchange (see Exhibit 1, next page). This analysis reveals a significant difference in the impacts of the two crises on the company’s market valuation. The immediate impact of the earthquake on Sony’s share price (-19 percent) was generally perceived by capital markets to be about the same as the impact to the general economy (-18 percent), but both recovered about 50 percent of the loss by March 27. After that, Sony’s share price slowly dropped in comparison to the Nikkei index, probably due to the actual impact of the earthquake on its operations. The data breach, on the other hand, caused a sustained 12 percent loss in Sony’s share price — the equivalent of $3.6 billion in market capitalization. And recent events suggest that this could worsen, because more security weaknesses have been revealed as Sony has restored service, and the recovery phase is not yet fully complete.
An analysis reveals a significant difference in the impacts of the two crises on Sony’s market valuation.
Exhibit 1 Sony’s share price, March–May 2011
Sony corporation vs. Nikkei 225 index (Tokyo stock exchange closing prices in Japanese yen)
Japanese earthquake Sony PSN data breach
3,050 3,000 2,950 2,900 2,850 2,800 2,750 2,700 2,650 2,600 2,550 2,500 2,450 2,400 2,350 2,300 2,250 2,200 2/27
10,800 10,600 10,400 10,200 Nikkei
10,000 9,800 9,600
9,400 9,200 9,000 8,800 Sony -12% 8,600 8,400 8,200 8,000 3/6 3/13 3/20 3/27 4/3 4/10 4/17 4/24 5/1 5/8 5/15 5/22 5/29
Source: Morningstar.com; Strategy& analysis
To put in perspective the loss that Sony faces due to the data breach, consider the cost of Toyota Motor Corporation’s unintended acceleration crisis in 2010. That crisis involved a recall of almost 8 million vehicles in Europe and the U.S. and the temporary suspension of production of eight models in North America, including the best-selling Camry. Toyota estimated its cost at $2 billion, and yet, in the week following the announcement, its share price fell only 8.5 percent. So either the markets are irrational in their current evaluation of the impact of the PSN data breach or the operational impact will be more severe than the impact of Toyota’s crisis on a revenue percentage basis. Evaluating events based on share price is admittedly imperfect, but the key message is clear: The PSN data breach knocked Sony off the post-tsunami economic recovery path in Japan.
An ounce of prevention
This raises a critical question: Could risk management have prevented or mitigated Sony’s back-to-back crises? In a crisis of the magnitude and consequence of the Japanese earthquake, the answer is probably not. It was clearly a Black Swan — an event with extremely low probability and devastating impact. A risk manager who predicted that an earthquake such as this would occur, and requested the budget necessary to protect the company against it, would most likely have been ignored. The PSN data breach, however, is another story. According to Shinji Hasejima, Sony’s CIO, the breach occurred in PSN’s Web application service platform. “The vulnerability was a known vulnerability,” he said during a press conference on May 1, 2011. Further, in the current threat environment, IT security and risk managers feel that it is almost certain that adversaries will try to access their information. Given this level of threat certainty, all risk and security managers should consider adopting a comprehensive strategic framework for protecting customer data throughout its life cycle (see Exhibit 2, next page). This framework suggests a series of fundamental questions that risk managers need to ask themselves in advance of incidents like the Sony data breach. They include the following: Governance: Who will take the lead in protecting the data assets of the business, and how will top management ensure that this leader has the proper visibility and the resources needed to ensure that the job is done correctly? Risk Management: Where are the data security vulnerabilities in the business, and what would the impact be if they were exploited? What specific information assets should be considered high priority?
Integrated Security: How should security investments be prioritized to reduce the overall risk profile of the company to an acceptable level? Which investments will provide the largest return? Incident Management: When a security breach does occur, how can the impact to the business be minimized? Continuity Planning: If operations are disrupted, how can they resume as quickly as possible?
Exhibit 2 A customer data protection framework
Risk assessment Business impact analysis
IT security Physical security Integrated Security
Risk Management Enterprise architecture
Disaster recovery Business continuity nanagement Information sharing
Customer data security
The senior management challenge
If you had asked Sony’s senior leaders a year ago to identify 10 events that could potentially erase 12 percent of their market capitalization in a matter of days, “unauthorized access to a list of online gamers” probably would not have made the list. If you had asked the same executives after the earthquake to identify 10 events that might keep Sony from recovering at the same rate as the overall economy in Japan, the result would likely have been the same. Yet that is exactly what happened. No one held Sony’s management responsible for failing to predict an unimaginable natural catastrophe, but the PSN data breach is sure to be a different story. Sony will recover from the earthquake at a substantially slower rate than other Japanese companies because an as-yet-unidentified culprit exploited a known software vulnerability. Why that happened is something Sony management will very likely have to explain to its board of directors, to judges and juries in class action lawsuits, and, most important, to its customers and shareholders. Though it is impossible to provide total information protection, particularly against very sophisticated hackers, companies can adopt highly effective information risk management programs. Such programs can block all but the most determined and skilled adversaries, and minimize the consequences of successful attacks. Indeed, an additional ounce of prevention is often far more effective than a pound of cure.
It is impossible to provide total information protection, but companies can adopt highly effective information risk management programs.
Strategy& is a global team of practical strategists committed to helping you seize essential advantage. We do that by working alongside you to solve your toughest problems and helping you capture your greatest opportunities.
These are complex and high-stakes undertakings — often game-changing transformations. We bring 100 years of strategy consulting experience and the unrivaled industry and functional capabilities of the PwC network to the task. Whether you’re
charting your corporate strategy, transforming a function or business unit, or building critical capabilities, we’ll help you create the value you’re looking for with speed, confidence, and impact.
We are a member of the PwC network of firms in 157 countries with more than 195,000 people committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us at strategyand.pwc.com.
This report was originally published by Booz & Company in 2011.
© 2011 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Disclaimer: This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.