Sony could face legal action across the globe after it delayed disclosing a security breach of its popular PlayStation Network, infuriating gamers and sending the firm's shares down nearly 5 percent in Tokyo Thursday.
Sony shut down the network on April 19 after discovering the breach, one of the biggest online data infiltrations ever. But it was not until Tuesday that the company said the system had been hacked and that users' data could have been stolen.
In the United States, several members of Congress seized on the breach, in which hackers stole names, addresses and possibly credit card details from 77 million users. One U.S. law firm filed a lawsuit in California on behalf of consumers.
"Gamers are angry that Sony's CEO hasn't come out to explain the situation and investors are disappointed over the company's corporate governance," said Michael Wang, manager of overseas funds at Prudential Financials in Taipei, which owns shares in Sony.
Sony's PlayStation Network, a service that produces an estimated $500 million in annual revenues, provides access to online games, movies and TV shows. Nine out of 10 of PlayStation's users are based in the United States or Europe.
Gamers could ditch Sony and analysts said people looking to buy a video game console could steer toward Microsoft's Xbox, which has its own popular online network.
"I am outraged that my personal information may have been accessed by hackers," said Rich Chiang, a PlayStation and Xbox user in Shanghai.
Security experts said Sony would need to account for the loss of business -- as well as damage to its brand -- when it tallies up the cost. Other costs include notifying customers of the attack and bringing in experts to cleanse its network.
Larry Ponemon, chairman and founder of the Ponemon Institute, said the theft could cost Sony more than $1.5 billion, or an average of $20 for each of the 77 million customers whose data was potentially compromised. Poneman's firm specializes in securing information on computer networks.
Sony said the delay in notifying the public was needed to conduct a forensic investigation but it is fast becoming a public relations nightmare akin to Toyota Motor's bungled response to a giant vehicle recall last year, fuelling criticism of corporate Japan's standards of disclosure.
Neither Sony CEO Howard Stringer nor Kazuo Hirai, who was appointed to the company's No. 2 position last month after building up Sony's networked services, have commented publicly.
Sony shares closed down 4.5 percent after falling more than 5 percent at one stage, while the broad market rose 1.6 percent. The stock has now lost more than 8 percent this week.
Some fund managers said the impact might be contained.
"Shares of Sony have already reached the low since the earthquake so I think further downside is limited. Investors who buy Sony are buying on its growth in PlayStation. Gamers usually will not stop playing just because a single incident," said Prudential Financial's Wang.
Sony has struggled for years to control the activities of the hackers, who make up a portion of PlayStation's fanbase.
Earlier this month, games fan website PlayStation Lifestyle
said a group calling itself Anonymous had conducted attacks on Sony websites and online services, motivated by revenge for the company's attempts to clamp down on hacking.
"Sony's strategy in defending its intellectual property was heavy handed and has triggered the "nuclear option" with those that it engaged," IT security expert, Phil Lieberman, CEO and founder of Lieberman Software, said.
In the United States, attorneys general, who act as consumer advocates, had begun investigating the matter or reviewing it with staff in several states, including in Iowa, Connecticut, Florida and Massachusetts, according to their offices.
U.S. regulators could get involved as well. The Federal Trade Commission has been known to pursue companies that failed to safeguard consumer data. It could investigate if it determines Sony failed to tell its customers about the company's privacy policies.
A spokeswoman for the agency declined to comment.
Sony reported the breach to the FBI's cybercrimes unit in San Diego, which is investigating, a person familiar with the probe told Reuters. The person was not authorized to discuss the matter publicly.
Late Wednesday, Rothken Law Firm filed a lawsuit on behalf of an individual plaintiff named Kristopher Johns against Sony in the Northern District of California court.
"This suit seeks to redress Sony's failure to adequately provide service to PlayStation consoles and PlayStation Network," the lawyers for the plaintiff said in a court filing.
The plaintiff has requested the court to certify this case as a class action and has also sought unspecified monetary damages, according to the filing.
Sony did not return a call in the United States seeking comment.
Games developers voiced concerns about the ramifications of the data theft.
"What's potentially pretty damaging for people is passwords, because people may use the same password for logging into this network that they use for other things," said Jonathan Chey, a games developer and PlayStation user.
"Security questions (used for recovering passwords)too. My understanding from what they said is that stuff was compromised and was not encrypted."
In Britain, a government watchdog launched an investigation of the incident.
Britain's Information Commissioner's Office said it had contacted Sony and was investigating whether it violated laws that require it to safeguard personal information. The commissioner's investigation would depend in part on whether Sony stored user information in Britain.
Indeed, Sony may come under the toughest scrutiny from non-U.S. regulators, which have stricter consumer privacy laws.
"European countries are going to go crazy and be all over this," said Dan Burk, a professor at the University of California, Irvine School of Law. "They are absolutely obsessed about companies holding personal information."