When Take-Two Interactive's chairman Strauss Zelnick eventually attached a number to the September 2022 Rockstar Games network intrusion, the figure was striking only in its modesty. Reporting around the criminal trial of the "teapotuberhacker" attacker โ the seventeen-year-old Lapsus$ member who exfiltrated roughly fifty minutes of work-in-progress Grand Theft Auto VI footage and threatened to publish source code over Rockstar's internal Slack โ referenced a recovery cost of approximately five million US dollars and "thousands of staff hours" (BBC News, 2023). For a company that booked roughly $5.35 billion in net revenue across fiscal year 2023, this was a rounding error: less than 0.1 per cent of top-line revenue, dwarfed by amortisation of a single mid-tier acquisition, and small enough to disappear into the catch-all "general and administrative" line of the 10-K without dedicated disclosure (Take-Two Interactive, 2023).
The number tells two stories at once. It is large enough to suggest a serious remediation programme โ forensic retainers, outside counsel, a hardened identity rollout, network re-segmentation โ but small enough to confirm what Rockstar publicly insisted from day one: that the intrusion was a credential abuse and Slack/Confluence harvesting incident rather than the deep, production-pipeline-wide compromise that comparable breaches at Sony Pictures, Capcom or Insomniac forced their victims to confront. This report works through what $5m plausibly covers based on publicly disclosed comparators, why that figure was financially immaterial to Take-Two, and what the size of the cleanup implies about the scope of the attacker's actual access. All analysis here relies on public SEC filings, court reporting and secondary press coverage; no leaked material is examined or linked.
Take-Two's FY2023 Form 10-K, filed on 26 May 2023 with the US Securities and Exchange Commission (US SEC, 2023), references the September 2022 incident under the Risk Factors and cybersecurity disclosures but does not break out the remediation cost as a discrete line item. The widely quoted $5 million figure entered the public record principally via reporting on the attacker's 2023 Southwark Crown Court trial, where prosecution evidence summarised the financial harm Rockstar attributed to the breach (BBC News, 2023; Wikipedia, 2026). Subsequent industry coverage propagated the number as a working estimate of "incident-related expense" rather than a single audited line.
Critically, Take-Two did not restate guidance, take an impairment charge, or adjust non-GAAP reconciliations specifically tied to the breach. In the proximate quarterly call following the intrusion, Zelnick framed the incident as operationally contained, stating publicly that the company had taken steps "to isolate and contain this incident" and that business was unaffected (GameSpot, 2022; Variety, 2022). The share price reaction reinforces this characterisation: shares fell more than 6 per cent in pre-market trading on 19 September 2022 but recovered the same day after Take-Two's statement (MarketWatch, 2022). A breach material to Take-Two's quarterly numbers would not have produced an intraday round-trip; investors priced it as reputational noise around an unreleased asset, not a balance-sheet event.
This is the right context for the $5m: it is a management-disclosed characterisation of direct cash and in-kind cost โ not a regulatory loss, not a settlement, not a write-down of inventory or capitalised development cost. It maps to the kind of figure a controller assembles by tallying invoices from incident-response retainers, law-firm hours, identity tooling procurements, and overtime for internal IT and security staff.
Public-company breach disclosures across the last decade โ supplemented by the Ponemon Institute's annual Cost of a Data Breach series and SEC comment-letter correspondence with affected registrants โ converge on a recognisable cost structure for an incident of this profile. Working from that scaffold, a plausible apportionment of Take-Two's $5m looks roughly as follows.
Forensic incident response โ approximately $1.0โ1.8m. A first-tier DFIR retainer (Mandiant, CrowdStrike Services, Stroz Friedberg, Kroll, or similar) for a four-to-eight-week engagement on a global enterprise typically runs $400โ600 per analyst hour, with senior responders billed higher. A team scoping a Slack-token-based intrusion across Rockstar's multi-studio environment, performing endpoint triage, log reconstruction from limited retention windows, and reverse-engineering the attacker's movement, would burn through this band easily. Public disclosures from the SolarWinds and MOVEit cohorts indicate similar enterprises routinely incur seven-figure forensic bills for incidents of meaningfully smaller scope (Mandiant, 2023).
Outside counsel โ approximately $0.7โ1.2m. Take-Two's go-to litigation and regulatory counsel would have been engaged immediately to advise on takedown strategy (the DMCA notices to YouTube, Reddit and GTAForums documented contemporaneously were a counsel-driven workstream), SEC disclosure obligations, potential securities-fraud exposure given the share-price move, and coordination with the FBI and UK National Cyber Crime Unit. Big-law cyber and securities partners bill $1,200โ1,800 per hour; even a contained matter accrues several hundred hours across multiple practice groups. Comparable counsel costs in the Capcom 2020 ransomware matter and the EA 2021 incident were reported in roughly this range.
Notification and regulatory response โ modest, perhaps $0.1โ0.3m. Because the GTA VI leak primarily exposed pre-release IP rather than personal data, statutory breach-notification regimes (GDPR Article 33/34, US state attorney-general notification statutes, NYDFS Part 500) were largely not triggered at scale. This is one of the most consequential differences between Take-Two's bill and Uber's 2016 bill, which ballooned because that intrusion exposed 57 million riders' and drivers' personal data and ultimately drew a $148m multi-state attorney-general settlement (US Federal Trade Commission, 2018).
Hardened identity and access management rollout โ approximately $1.0โ1.5m. Rockstar publicly confirmed the attacker entered via stolen credentials and moved laterally into the internal Slack workspace. The textbook post-incident response is enterprise-wide enforcement of phishing-resistant MFA โ FIDO2/WebAuthn hardware tokens such as YubiKeys distributed to all engineering and production staff. Hardware token unit cost at scale is $25โ50 each; across Rockstar's reported developer headcount of several thousand plus contractors and Take-Two corporate users, the hardware bill alone is plausibly $200โ400k, with the larger share of the spend on identity-provider licensing (Okta, Microsoft Entra), conditional-access policy engineering and the SSO migration work required to bring legacy SaaS tenants behind phishing-resistant auth.
Network segmentation and SaaS access redesign โ approximately $0.5โ1.0m. The attacker's reported path โ credential abuse leading to Slack workspace access and harvesting of attached files โ is the canonical case study for why source-controlled material and pre-release media should not be casually posted into chat. Remediation typically includes Slack/Confluence access audits, DLP (data-loss prevention) deployment on collaboration platforms, purging of historical attachments, segmentation of build infrastructure from general-corporate networks, and brokered access (e.g. Cloudflare Access, Zscaler Private Access, or AWS Verified Access) for previously VPN-reachable internal services. The capital portion of this work is often quietly capitalised as IT infrastructure; only the consulting and integrator labour falls into "incident expense."
Internal labour and overtime โ the residual. Zelnick's reference to "thousands of staff hours" is consistent with a residual several-hundred-thousand dollars to a million in burdened internal cost: security and IT teams pulled onto the incident, communications and HR staff supporting employee Q&A, engineering hours diverted to credential rotation and CI/CD secret rolls, and executive time. Most companies do not charge internal labour into the incident bucket for accounting purposes, but management disclosures often include it informally as part of "cost to recover".
This rolls up to roughly the $5m figure, with reasonable bands of plus or minus 30 per cent depending on which costs the controller chose to attribute to the incident versus to ongoing IT modernisation budgets.
Putting Take-Two's number against four comparators clarifies what kind of incident it actually was.
Uber 2016. The 2016 Uber breach exposed personal data of 57 million users and drivers. Uber paid $148 million in 2018 to settle a multi-state attorney-general investigation arising from its concealment of the breach (US FTC, 2018; Wikipedia, 2026). Chief Security Officer Joe Sullivan was later convicted in October 2022 of obstruction of justice and misprision of a felony, becoming the first US executive criminally convicted in connection with a data-breach cover-up (US Department of Justice, 2022). The Uber figure is two orders of magnitude larger than Take-Two's not because the technical remediation was harder but because the data type โ consumer PII at scale โ triggered both regulatory penalties and a culture of cover-up that compounded the financial harm. Take-Two's incident, exposing pre-release game footage, has no consumer-PII analogue and therefore no comparable settlement exposure.
EA 2021. Electronic Arts disclosed in June 2021 that attackers had exfiltrated approximately 780 GB of source code, including for FIFA 21 and the Frostbite engine. The attackers reportedly entered by purchasing stolen Slack session cookies on a dark-web marketplace for around $10, then social-engineered an IT support staffer into provisioning MFA tokens โ a near-identical playbook to the Rockstar incident a year later (Motherboard/Vice, 2021). EA never disclosed a specific dollar cost. Industry analysts at the time estimated direct remediation in the low single-digit millions, with EA framing the matter as contained and not materially impacting operations or product roadmaps. The structural parallel to Rockstar is striking: same initial-access vector, same collaboration-platform abuse, same "no material impact" public framing, and presumably a similar order-of-magnitude remediation bill.
Capcom 2020. The November 2020 RagnarLocker ransomware attack against Capcom is the most informative comparator because Capcom disclosed extensive details in successive investor updates (Capcom Co., Ltd., 2020). The attackers exfiltrated approximately 1 TB of data including unreleased game plans, employee personal data (up to 350,000 records of staff and partners), and corporate financial information, and demanded ransom payment, which Capcom refused. Capcom's reported incident-related expenses ran into several hundred million yen โ at the time roughly $3โ5m direct costs โ with the broader cost of multi-year hardening, employee notification across hundreds of thousands of records, and the resulting Juracek copyright litigation (which surfaced because internal Capcom files matched a 1996 art book's CD-ROM contents and was eventually settled "amicably" in February 2022) extending the tail of consequences for years (Wikipedia, 2026, Capcom article). Capcom's dollar cost roughly matches Take-Two's, but the consequences spread further because data exfiltration encompassed PII, finished IP and litigation-relevant evidence.
Insomniac 2023. The December 2023 Rhysida ransomware attack on Insomniac Games (a Sony first-party studio) exfiltrated 1.67 TB of data including the Wolverine development build, internal HR records, and forward roadmap slides through 2030 (Cybersecurity reporting, 2023โ2024). Sony did not publish a discrete remediation cost, but the incident foreshadowed an internal reorganisation and layoffs at Insomniac in early 2024 โ outcomes that suggest the operational impact considerably exceeded the direct remediation bill. The Insomniac case demonstrates that even when ransom is not paid (Sony reportedly did not pay), the downstream strategic cost of having multi-year roadmaps and HR data in the public domain can materially shape staffing and disclosure decisions for years.
Take-Two sits clearly at the low end of this comparator set, in line with EA 2021, and well below Uber 2016 or Capcom 2020 in total exposure. The common thread linking Take-Two and EA โ small disclosed cost, no PII breach, no ransom dynamic, contained collaboration-platform compromise โ is what makes the $5m credible rather than suspicious.
For FY2023, Take-Two reported net revenue of approximately $5.35 billion and a GAAP net loss of $1.12 billion, the latter driven almost entirely by the Zynga acquisition accounting (amortisation of acquired intangible assets, transaction costs, and stock-based compensation related to the $12.7bn deal that closed in May 2022) (Take-Two Interactive, 2023). In that context, $5 million is a 0.09 per cent of revenue line item โ well below the materiality threshold any audit firm would set under PCAOB guidance for a company of Take-Two's size, which conventionally lands between 0.5 and 1 per cent of revenue or 5 per cent of pre-tax income.
This is the financial reason the breach did not require its own discrete dollar disclosure in the 10-K: it simply was not material under US GAAP. SEC guidance issued under the cybersecurity disclosure rules finalised in July 2023 (post-dating this incident) would later require more rigorous discussion of material cybersecurity incidents on Form 8-K within four business days, but those rules were prospective. Under the disclosure regime in force in September 2022, Take-Two's choice to discuss the matter qualitatively in Risk Factors and via management commentary on the earnings call was fully compliant.
The operational reason is equally straightforward. The intrusion did not delay GTA VI's development meaningfully โ Rockstar's own statement at the time said the company did "not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects" (Rockstar Games, 2022). It did not damage the GTA Online live service, did not expose customer payment data, did not trigger refund demands or churn in the existing GTA V/Red Dead Online user base, and did not provide competitors with finished technology they could appropriate. The leaked work-in-progress footage, while embarrassing, was widely judged by industry observers (including Jefferies analyst Andrew Uerkwitz) to be a PR matter rather than a commercial one (MarketWatch, 2022). When the official GTA VI trailer eventually launched in December 2023 it became the most-viewed non-music YouTube debut in history within twenty-four hours (Wikipedia, 2026), confirming that demand was undamaged.
The fact that $5m sufficed also tells us something about the financial structure of post-breach remediation at large incumbents. Much of what a smaller company would have to buy externally โ incident response maturity, SOC tooling, identity infrastructure โ Take-Two and Rockstar already had as part of normal IT operating spend. The marginal cost of responding to a contained intrusion is comparatively small when the baseline security programme is already mature; the catastrophic cost profile (Equifax 2017 at $1.4bn-plus, Maersk 2017 NotPetya at $300m, Sony Pictures 2014 at $35m-plus) arises when the breach also exposes systemic security debt that has to be remediated on an emergency schedule. Take-Two's $5m is consistent with the former scenario, not the latter.
The most analytically interesting use of the $5m figure is as a signal of scope. Working backward from the cost is a useful complement to working forward from what Rockstar and the attacker publicly admitted.
First, $5m is large enough to imply meaningful segmentation and identity work happened after the fact. Pure forensics and counsel for a contained single-account breach with no engineering remediation could be done for $1.5โ2.5m. The fact that the figure roughly doubles that points to budgeted infrastructure work: SSO migrations, MFA-token rollouts, Slack/Confluence access redesign, and probably brokered access in front of formerly-VPN-reachable resources. That is consistent with an incident where the attacker reached internal collaboration platforms and viewed attached files, and where Rockstar concluded its perimeter and identity posture needed structural change, not just credential rotation.
Second, $5m is far too small to imply the attacker reached the production build pipeline, source-control servers (Perforce or similar) or signing infrastructure. If those had been compromised, remediation would have required:
That programme of work would not fit in $5m at a company Rockstar's size. Sony Pictures spent more than $35m on remediation after the 2014 breach, and that incident โ while it exposed embarrassing internal communications and unreleased films โ likewise did not reach core production systems in the same way a build-pipeline compromise would. Capcom's 2020 incident, which did reach internal source repositories and design documents and produced years of follow-on litigation exposure, was disclosed in the same low-single-digit-millions range for direct costs but spawned a much longer tail of consequences than Take-Two has shown.
Third, $5m is consistent with attacker access narrowly bounded to Slack/Confluence/Jira and to files attached therein. The leaked material widely discussed publicly โ work-in-progress gameplay videos, animation tests, level layout captures โ is exactly the artefact class that gets attached to internal chat for review by producers and leads. It is not the artefact class that lives in source control. A Slack workspace breach gives an attacker access to whatever has been pasted in or attached, which can be substantial, but it does not give them the canonical engine source tree, the asset pipeline, or the build toolchain.
Fourth, the lack of any subsequent disclosed remediation in FY2024 or FY2025 10-Ks suggests Take-Two did not consider this a multi-year hardening programme. By contrast, Capcom continued to reference its ransomware-response programme in investor materials for two fiscal years after the 2020 incident, and Maersk's NotPetya response shaped its IT architecture for years afterwards. Take-Two's $5m appears to have been a single-fiscal-year event with no rolling tail of incident-related spend โ another structural signal that the scope was bounded and the remediation was tractable.
In short: $5 million bought enough to confirm that the attacker reached the perimeter of the production environment but did not get inside it. It bought a hardened front door and a re-segmented hallway, not a rebuilt house.
The $5m figure itself is moderate-to-high confidence: it has been referenced repeatedly in court reporting around the attacker's 2023 trial and was attributed to Rockstar/Take-Two by the BBC and others without subsequent correction (BBC News, 2023; Wikipedia, 2026 citing the BBC). It is not, however, an audited line in a public SEC filing, so the precision is closer to "about five million" than to a specific accounting figure.
The cost-component apportionment in this report is medium confidence. It is built by analogy to comparable disclosed incidents (Capcom 2020, EA 2021, Uber 2016) and to Ponemon and Mandiant industry data, not from disclosed Rockstar invoices. The category split โ roughly a third to forensics and counsel, a third to identity hardening, a third to segmentation and internal labour โ is consistent with how controllers tend to assemble these figures but should be treated as illustrative rather than canonical.
The inference that the cost figure implies bounded Slack/Confluence access rather than build-pipeline compromise is medium-to-high confidence, because the cost order-of-magnitude argument is robust: production-pipeline compromise at a studio of Rockstar's scale would almost certainly produce a multi-year remediation budget well in excess of $5m, and Take-Two's FY2024 and FY2025 10-Ks show no such trailing spend. Additionally, the attacker's own public claims at the time of the breach โ that material was taken from Rockstar's internal Slack โ align with this scope.
Lower-confidence elements in this report include any specific dollar figure attributed to a single category (each band has roughly ยฑ30 per cent uncertainty), the attribution of internal labour cost to the $5m figure (Take-Two has not specified whether the figure is cash-out or fully-loaded), and the comparative cost claims for EA 2021 and Insomniac 2023, neither of which disclosed direct remediation figures publicly. Nothing in this analysis depends on examining leaked materials; all references are to public filings, court coverage, and secondary reporting.
BBC News (2023) Teenage Lapsus$ hacker behind GTA 6 leak given indefinite hospital order, 21 December. Available at: https://www.bbc.com/news/technology-67768763 (Accessed: May 2026).
Capcom Co., Ltd. (2020) Notice Regarding the Impact of and Response to a Targeted Attack Involving Unauthorized Access, Investor Relations disclosure, November. Available at: https://www.capcom.co.jp/ir/english/news/ (Accessed: May 2026).
GameSpot (2022) 'Take-Two shares dip following GTA 6 leak', 19 September. Available at: https://www.gamespot.com (Accessed: May 2026).
Mandiant (2023) M-Trends 2023 Special Report. Reston, VA: Mandiant Inc.
MarketWatch (2022) 'Take-Two stock recovers after GTA 6 leak', 19 September. Available at: https://www.marketwatch.com (Accessed: May 2026).
Motherboard/Vice (2021) 'How hackers used Slack to break into EA Games', 11 June.
Rockstar Games (2022) Official statement on network intrusion, posted via @RockstarGames on X (formerly Twitter), 19 September.
Take-Two Interactive Software, Inc. (2023) Annual Report on Form 10-K for the fiscal year ended March 31, 2023, filed with the US Securities and Exchange Commission, 26 May. Accession No. 0001628280-23-019851. Available at: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000946581&type=10-K (Accessed: May 2026).
US Department of Justice (2022) 'Former Chief Security Officer of Uber Convicted of Federal Charges for Covering Up Data Breach', Press release, 5 October.
US Federal Trade Commission (2018) 'Uber Agrees to Expanded Settlement With FTC Related to Privacy, Security Claims', Press release, 12 April.
US Securities and Exchange Commission (2023) EDGAR filings index, Take-Two Interactive Software Inc. (CIK 0000946581). Available at: https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0000946581&type=10-K (Accessed: May 2026).
Variety (2022) 'Take-Two CEO Strauss Zelnick: GTA 6 leak emotionally impacted staff but business unaffected', 19 September.
Wikipedia (2026) Capcom. Available at: https://en.wikipedia.org/wiki/Capcom (Accessed: May 2026).
Wikipedia (2026) Grand Theft Auto VI. Available at: https://en.wikipedia.org/wiki/Grand_Theft_Auto_VI (Accessed: May 2026).
Wikipedia (2026) Uber. Available at: https://en.wikipedia.org/wiki/Uber (Accessed: May 2026).