UK Authorities have just slapped Sony Playstation with a $400,000 fine for their massive password breach in 2011.

That $400k is nothing compared to the total cost. Sony reported an estimated outlay of $171M for insurance, customer support, and rebuilding their user management and security systems. Since the breach, partially due to a drop in customer confidence, Sony’s stock price has dropped from $30 to $13.

Screen Shot 2013-01-24 at 11.24.56 AM

But, Sony was a Mega-Attack: 77 million
exposed records. An attack on your user database will probably cost about $5.5M.

Symantec publishes an annual “Cost of Data Breach Study;” they survey breached companies and share fascinating tidbits and user security trends:

  • The average attack costs a company $5,500,000
  •  ~$3M of that is from lost business: increased customer churn, costlier customer acquisition, damaged reputation and loss of goodwill
  •  On average, 28,349 records were compromised in an attack
  •  The cost to notify breached users increased, due to increased regulation

Notification is only going to become more expensive: the EU and UK aren’t the only places where data breaches can end up in the courts. One of the biggest mistakes Sony made was delaying their reporting of the breach. So far, 45 US states legally require owners of personal information databases to inform affected individuals in the event of a data security breach. Increased privacy legislation is coming to the US, too.

The good news is that more businesses are becoming proactive, and “more organizations are using data loss prevention technologies.” This dropped the average cost per breach from $7.2M in 2012. As more attackers are leveraging the power of the cloud for scaled attacks, more companies are fighting back with cloud security.

Sony wasn’t able to hide behind their defense; namely, that getting attacked is part of running a “21st Century business.” The rebuttal from the UK Information Commissioner’s Office was clear:

“There’s no disguising that this is a business that should have known better. [Sony]…trades on its technical expertise, and … had access to both the technical knowledge and the resources to keep this information safe.”

We started Stormpath to make those resources available to everyone. Even if you don’t need to do Level Five Password Security, secure password workflows and user stores are a great starting point.

If you want to read the whole report: Symantec 2011 Cost of Data Breach Study. And if you want a user management system that handles your workflows securely, use us for free.