Sony’s Very, Very Expensive Hack

Photo: Ed Araquel/CTMG

It has been three weeks since a shadowy group of hackers started to release a huge cache of data, films, and email stolen from Sony Pictures Entertainment. And the disaster just keeps getting worse.

The group has now threatened theaters that show The Interview, a James Franco and Seth Rogen vehicle due to go into wide release on Christmas Day. “All the world will see what an awful movie Sony Pictures Entertainment has made,” the letter reads. “The world will be full of fear. Remember the 11th of September 2001. We recommend you to keep yourself distant from the places at that time.” That has raised the possibility that Sony will pull the film, a theory put forward by Kai Ryssdal, among others.

If that happens, and even if it does not, the corporate hack seems likely to be among the most expensive of all time — up there with the 2014 Target breach (price tag: about $110 million), TJX’s 2007 hack (about $250 million), and Sony’s 2011 Playstation hack (about $170 million). 

It’s still too early to know just how badly the hack might hurt Sony’s bottom line, especially given that the hackers keep on putting out new leaks and new threats. But some early estimates of the corporate damage have started to trickle out. And $150 or $300 million does not seem like a bad guess at the moment, meaning the hack might wipe out half of the Sony pictures unit’s 2013 profits.

First, there are the direct costs from the breach — replacing computers, updating data systems, hiring forensic investigators to look into the incident, beefing up the legal department, and so on. Right now, estimates for those costs are hovering around $70 or $80 million, or about twice as much as Sony spent producing The Interview:

Major costs for the attack by unidentified hackers include the investigation into what happened, computer repair or replacement, and steps to prevent a future attack. Lost productivity while operations were disrupted will add to the price tag…. Macquarie Research analysts projected Sony would likely take an impairment charge of 10 billion yen ($83 million) related to the incident. Mark Rasch, a former federal cyber crimes prosecutor, estimated costs could run up to $70 million.

Then there are the indirect costs. Sony’s competitors know a lot more about its business practices now. They could start poaching its movie stars, writers, and executives, to the company’s detriment. Those same movie stars, writers, and executives might decide it is no longer worth working with Sony, given what the breach has revealed, costing the firm. (Angelina Jolie, for one, gets described as a “minimally talented spoiled brat.”) And some of Sony’s stars might decide to demand higher compensation in exchange for remaining with the beleaguered studio. 

On top of that, it looks like there will be significant costs from employees’ civil suits related to the leaks. Already, Sony workers have lawyered up and charged the company with failing to protect their privacy:

The complaint was filed on behalf of Michael Corona, who says he worked at the company from 2004 to 2007, and Christina Mathis, who says she worked at the company between 2000 and 2002. Both say they had information such as Social Security numbers leaked. Corona also alleges that his salary history and reason for resigning were breached. Both say they have spent money for identity theft protection in the wake of the hack and are suing on behalf of themselves and an estimated 15,000 individuals similarly situated. 

The hack also revealed that Sony has a tendency to pay its female executives and stars less than its male executives and stars. One can imagine some lawsuits or contract renegotiations related to that detail, or others.

Then comes the potential cost of pulling the Rogen and Franco film:

The production budget of The Interview is $44 million, and it is tracking to open in the $20 million range, though that could well go higher since publicity around the hacking has heightened its profile. There would be marketing costs lost and penalty payments to partners would likely be required, so it could be at least a $100 million hit.

And that does not take into account the revenue Sony might lose by choosing not to distribute the film. It also does not account for any losses related to the posting of other Sony films on the internet, including Annie.

All in all, it is conceivable that Sony’s Japan-based corporate parent might be facing multiple hundreds of millions of dollars of direct costs and lost sales. Chalk it up as 200 million more reasons to use two-step verification.