Soon, the ongoing PlayStation Network outage will enter its eighth day. The past 24 hours of downtime have seen some dramatic developments, as yesterday Sony revealed that the "external intrusion" that prompted the crisis also resulted in PSN users' information being compromised. Since an estimated 77 million people have signed up for the service, the scope of the data leak is huge.
Even larger could be the cost from the potential information theft. In an article today, Forbes cites data-security research firm The Ponemon Institute as estimating the "cost of a data breach involving a malicious or criminal act" was, on average, $318 per compromised account. Given the most recent PSN population estimate, that formula puts the potential cost as being over $24 billion.
The 2009 Ponemon Institute study that determined the figure, available here, "takes into account a wide range of business costs, including expense outlays for detection, escalation, notification, and after the fact (ex-post) response. [Ponemon] also analyze[s] the economic impact of lost or diminished customer trust and confidence, measured by customer churn or turnover rates."
On the bright side, Sony did say that some PSN services should be restored within a week. Then, late yesterday, it offered some answers as to why it took so long for the company to announce that users' personal data may have been accessed by an outside party.
"There's a difference in timing between when we identified there was an intrusion and when we learned of consumers' data being compromised," said senior director of corporate communications and social media Patrick Seybold in a statement on the PlayStation Blog.
He continued, "We learned there was an intrusion April 19th and subsequently shut the services down. We then brought in outside experts to help us learn how the intrusion occurred and to conduct an investigation to determine the nature and scope of the incident. It was necessary to conduct several days of forensic analysis, and it took our experts until [April 25] to understand the scope of the breach."
Sony also made a further attempt to answers PSN users' questions by posting an FAQ on the official PlayStation website. Though it often declines detailed comment, the FAQ answers a variety of questions, including steps to avoid phishing scams. It also said that Sony was "reviewing options" about potentially refunding customers due to the downtime, which could potentially add to the cost of the outage.
Meanwhile, Eurogamer reports that the British government is launching an inquiry into the PlayStation Network data breach. The site quotes the Information Commissioner's Office as saying, "We have recently been informed of an incident, which appears to involve Sony. We are contacting Sony and will be making further enquiries to establish the precise nature of the incident before deciding what action, if any, needs to be taken by this office."
The move comes one day after US Senator Richard Blumenthal (D-CT) called on Sony to offer full disclosure to PSN users if their information was compromised. He also demanded the company offer two years of free access to credit reporting services to check if their credit was adversely affected, raising the prospect of still more expenses for the company.