Around 40 gigabytes of Sony’s files have been released online by the hackers so far, with more promised to come.
But industry watchers say Sony’s security protocols were lax and the company was ill-prepared to cope with security threats.
Files released include salary information, which reveals gender and race disparities in the top paid employees, celebrity aliases used to check into hotels, movie scripts, budgets and entire films, scathing confidential emails about celebrities and Adam Sandler films and 47,426 social security numbers.
What’s even worse for the company is that the attacks actually began in July, when the hackers started building malicious software that stealthily pilfered Sony’s data.
In November, they put the finishing touches on the malware and put it on employees’ computers, which caused disruption, rebooting computers and erasing their hard drives.
On November 24, the extent of the hacks was finally discovered when the hackers announced their presence by an illustrated message that popped up on employees’ screens, referring to themselves as “Guardians Of Peace”.
The message that appeared on Sony employees screens from the hackers
Kevin Mandia, the head of the FireEyes Mandiant, said in a leaked letter that the attack wouldn’t have been detected by industry standard antivirus software, as the attackers used unique strategies to cause damage to the company.
“The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared,” he says in the letter.
Unpreventable vs. unprepared
However, many experts and critics on the web are saying the security company is being too apologetic for Sony’s lack of preparation for cyber attacks.
The criticisms may be valid, as evidence is emerging of the company having a rather blasé approach to security.
An email discovered by Mashable reporters in the leaked files showed the hackers sent company executives a warning of an impending cyber attack three days before it was carried out.
The email was in broken English asked for “monetary compensation” or there would be “great damage” and Sony would be “bombarded as a whole” and was apparently unread by Sony chairman Amy Pascall.
To add to the embarrassment, the attackers also leaked a folder from Sony’s servers called “Passwords” in a file dump online.
The screenshot shows in a clearly unsecure folder labeled “Password”, there are dozens of files with password in the title, including files called “YouTube login passwords.xlsx” accessing film’s such as Spiderman’s YouTube channel, Master_Password_Sheet.xls and “contact list and passwords.xls”.
President and CEO of security service provider Digital Guardian, Ken Levine said in an email to Ars Technica that Mandia’s statement “is clearly offering Sony the opportunity to hide behind the veil of advanced persistent threats”.
A report by Thinkst is also dubious over Mandia’s claims of an “unprecedented attack”, as data was being stolen from Sony’s network for months without them realizing it was leaving.
“What is abundantly clear from the attack, is that Sony’s detection and response capabilities were about as poor as possible,” the report states.
The report also makes reference to a 2007 article, where Sony Pictures executive director of security, Jason Spaltro, said the company was making cyber security decisions on a cost-effective basis.
“We’re trying to remain profitable for our shareholders, and we literally could go broke trying to cover everything. So, you make risk-based decisions: What’re the most important things that are absolutely required by law?” He says.
Yet with hackers responsible for both a bomb-threat to a Sony executive that caused his plane to be diverted earlier this year and the Playstation Network grinding to a halt and taken offline for the day in August, critics say Sony should’ve been on high alert.
PwC director of risk and control solutions Adrian Van Hest said a previous Idealog article about cyber security that businesses should protect their most high value asset.
In bigger companies, this could be the large database of people’s details, he says, which was the case with what happened with Sony Pictures – who didn’t even notice it was unsecure.
The report by Thinkst echos this, advising that “you should honestly determine if you would have noticed your companies crown jewels being infiltrated over a prolonged period. Is this scenario covered in security testing and assessments?”
For now, Sony struggles to regain control of the ongoing situation.
Lawsuits by credit issuing banks are being brought against big corporations whose IT security has been compromised, such as Home Depot and Target.
But with the stiff penalties and financially crippling lawsuits faced from a data breach, choosing the most cost effective security option may soon lose popularity.