The financial cost of the crippling cyberattack that hit Sony Pictures Entertainment last week is beginning to become clear — and it won’t be cheap.
The Culver City film and television studio could face an outlay of tens of millions of dollars, according to digital security and legal experts.
Such an expenditure comes at a poor time for the Sony Corp.-owned studio, which late last year committed to slashing overhead by at least $250 million and has since gone through several rounds of layoffs.
Sony Pictures’ costs include rebuilding its computer network, paying a cyber-forensics firm to investigate the breach and footing the bill for potential legal matters that stem from the attack.
“It sounds like a really bad situation. It could cost tens of millions of dollars,” said attorney Peter Toren, a cybersecurity expert who formerly worked in the Department of Justice’s Computer Crime & Intellectual Property Section. “Clearly they have issues.”
The average cost of a network breach for a major corporation — factoring in the forensic investigation and legal fees — is about $7 million, said Ralph Echemendia, chief executive of digital security consulting firm Red-e Digital.
Given the scale and severity of the hack, the worst ever against a Hollywood studio, Echemendia believes that it could cost the studio at least triple that. And that doesn’t take into account what it will cost Sony Pictures to rebuild its network.
The breach became public Nov. 24, when Sony workers logging onto their computers were greeted with an image of a skeleton accompanied by the text “Hacked By #GOP” — a reference to a group calling itself Guardians of Peace.
Since then, a trove of sensitive computer files has been leaked onto the Internet, including documents purported to contain several top Sony executives’ salaries and the Social Security numbers of thousands of company workers. Some of the studio’s movies were also uploaded to the Internet.
In its analysis, data-security consulting firm Identity Finder found that the documents also contained Social Security or taxpayer-identification numbers of big Hollywood names like director Judd Apatow and actor Sylvester Stallone.
The identity of the hackers remains unclear, and the FBI is investigating the matter. However, widespread speculation has centered on whether Sony Pictures’ upcoming release of “The Interview” — a comedy starring Seth Rogen and James Franco about a fictional attempt to assassinate North Korean leader Kim Jong Un — led North Korea to retaliate in cyberspace.
Other observers say the attack could have been perpetrated by disgruntled current or former employees.
One thing is certain: The damage to Sony Pictures’ network is widespread. In an email to employees on Tuesday, the studio’s top two executives — Chairman Michael Lynton and co-Chairman Amy Pascal — called the theft and leaks “malicious criminal acts.”
The digital infiltration will be expensive to clean up, with other harder-to-quantify costs. First, the studio will lose out on box-office and home entertainment revenue as a result of the hackers’ dissemination of five Sony films, including Brad Pitt’s “Fury” and the upcoming musical “Annie.”
“You’ll never know the exact dollar amount, but it’s safe to say piracy has an impact no matter what,” said Phil Contrino, vice president and chief analyst at BoxOffice.com.
The film that stands to lose the most is the holiday family movie, “Annie,” which debuts Dec. 19, Contrino said. Sony’s musical is expected to pull in roughly $100 million in the U.S. and Canada, but “piracy could put a dent in that,” he said.
Then there’s the cost of the downtime the company has experienced. Sony has about 6,600 employees, and they were forced to use pencil and paper and their personal email accounts in the days after the attack. Although many of the studio’s systems were restored by Monday, some remain offline.
Such a disruption could lead the studio to miss out on other business opportunities — such as snagging a hot script or hiring an in-demand executive — and Sony’s competitors are unlikely to sit on the sidelines and let the studio play catch-up. Lynton has told his staff that there would not be layoffs connected to this hack, said a person familiar with the situation.
Sony enlisted Mandiant, a cyberforensics unit of the security firm FireEye, to assist in the search for the hackers. The company, a leader in the field, investigated Chinese hackers’ 2012 and 2013 breaches of the New York Times’ network, and its services are expensive, Toren said.
“We are still assessing the overall impact of last week’s highly sophisticated cyberattack,” a Sony spokesman said in a statement Thursday. “Our number one priority at this point is keeping our business moving forward, and we are making good progress.”
Mandiant declined to comment.
Rebuilding Sony Pictures’ network will also be expensive, although experts say it is difficult to put a dollar figure on expenditures because the extent of the damage isn’t yet known.
When Sony’s PlayStation Network was hacked in 2011, the company estimated the cost at $170 million.
“These things aren’t measurable,” said Tom Chapman, director of the cyber operations at computer security company EdgeWave. “But this will damage Sony greatly.”