Sony Hack, Part 1 – Lessons not learned
By now you have surely heard about the very embarrassing Sony hack saga that has drawn out over the last few weeks with Sony Pictures. Very few people could have imagined that a movie intended as a satire, with a lower than usual budget, that’s about a dictator in an East Asian country, could cause an explosion of backlash which has reached the point of threatening national security. It all started on November 26, 2014 when Sony Pictures Entertainment suffered a devastating blow to its internal corporate network at the hands of hackers who gained access to their systems, downloaded terabytes of data, and then released all of the data over several days into the open web. But if you think that was bad, then hold on tight, because that was just the beginning.
Sony Hack, the damage done
After downloading the data and sharing it with the entire world, these hackers went through and erased a multitude of hard drives on computers ranging from servers, to individual employee computers. The worst damage however, was in the data itself that was released to the public. The troves of files and sensitive information included full length unreleased feature films and very personal emails from the highest levels of the company all the way down. Some of these emails mentioned famous artists in a negative light, as well as financial negotiations. Other data included employee records with names, addresses and social security numbers, along with medical records that were identifiable to individual employees. Over 700 documents containing passwords, including spreadsheets and Word files titled “FTP passwords,” “ResearchPasswords,” “ACCOUNTING PASSWORDS,” “Personal passwords,” and other files named for specific creative resource sites. There is was a file called “CA Breach Notification for User Names and Passwords (MoFo).pdf,” which seems to have been an omen of what was to come. The fallout didn’t end there, it actually continued to escalate.
Threats of violence and national security
The first threats began the morning of Friday, December 5, 2014 when, Variety reported that Sony Pictures Entertainment employees received an e-mail from hackers threatening their families. Sources told Variety that employees were told to turn off their phones after receiving the message. Shortly after the hacker group posted the following message on Pastebin:
We will clearly show it to you at the very time and places “The Interview” be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to. Soon all the world will see what an awful movie Sony Pictures Entertainment has made.
The world will be full of fear.
Remember the 11th of September 2001.
We recommend you to keep yourself distant from the places at that time.
(If your house is nearby, you’d better leave.)
Whatever comes in the coming days is called by the greed of Sony Pictures Entertainment.
All the world will denounce the SONY.
The next day, the Department of Homeland Security said that there was no “credible intelligence” suggesting there was an active plot against movie theaters. However hours later, Ars Technica wrote that the government fingered North Korea for the hack. Whether or not the hackers could have actually carried out a terror plot on American Soil, it was enough to get theater chains to pull the movie from their theaters.
The motives behind the Sony Hack attack
The attack and dump of corporate data was undertaken by a group calling itself the “Guardians of Peace” (GOP). The group claims its motive was to punish Sony Pictures for “terrible racial discrimination” and said that it was able to gain physical access to Sony’s network with the aid of “other staff with similar interests,”. Claims and statements made by GOP hinted at or implied at least some alignment with North Korea. Their motives were fueled by the distribution of the controversial comedy film The Interview—which has been the target of the North Korean regime’s ire since it was first announced earlier this year. A spokesperson for North Korea’s National Defense Commission said that The Interview was “a film abetting a terrorist act while hurting the dignity of the supreme leadership of the DPRK by taking advantage of the hostile policy of the US administration towards the DPRK.”
Sony Hack – Lessons Not Learned
But should this hack really have come as a surprise to Sony? With a history brutal attacks to their Playstation Network, credit card and data breaches, DDOS assaults and other devastating attacks that led to class action lawsuits starting in 2011, it seems like they had plenty of time strengthen their network and be prepared to see this attack coming. So how could they have prevented this? In part 2 of this series we will explore the shortcomings that most companies commit that can lead to these disasters and what you can do to protect yourself and your network from these devastating cyber crimes.
Please read Part 2 of our series to find out how you can protect you business network.