Costs: Legal fees, security consulting fees, settlements from the class actions, restitution for service interruption, lost sales, credibility with users and publishers, insurance, etc. One thing is for certain, skimping out on network security/infrastructure definitely came back to bite them in the ass.
Sony could have covered this up, but if the hacker were to publically claim responsibility and show proof they would have incurred even more damages in addition to just the leaked data - that would be criminal. As long as the possibility exists that the data has been compromised, companies MUST disclose that information.
It's unbelievable that people are still in denial defending Sony. Guess what, there WAS an intrusion, and there is the possibility of a compromise of personal information and credit card numbers, they said so themselves. The forensic investigation may never be conclusive, but absence of evidence is NOT evidence of absence.
