The company says it received an email from an “unknown threat actor” on May 11.
“We will reimburse customers who were tricked into sending funds to the attacker,” it said in its statement.
“We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received.
“Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.”
In a filing with the US Securities and Exchanges Commission, external, it estimated costs between $180m and $400m.
It said this figure came from “remediation costs and voluntary customer reimbursements”, however this figure could change as a result of “potential losses, indemnification claims, and potential recoveries”.
The staff members who shared customer information with the hackers have been fired.
