The Sony Breach – Safeguard Information and Avoid Blackmail
In November 2014, Sony Pictures suffered from a major cybersecurity breach. Hackers not only erased data from its systems and computer infrastructure, using a variant of the Shamoon wiper malware, but also stole nearly up to 100 terabytes of sensitive data from Sony. This information which was gradually released to the public included pre-release movies, people’s private information, and sensitive documents.
The attackers leaked documents such as a list of employee salaries and bonuses; HR employee performance reviews; criminal background checks and termination records; correspondence about employee medical conditions. These tactics were aimed at demoralising Sony’s employees and causing internal instability thus instilling fear in Sony’s employees and reducing their productivity. Also, the intention was to cause reputational harm and deter celebrities from working with Sony due to fear of possible data leaks.
Timeline of events and threats
Guardians of Peace (GOP) claimed credit for the attack on Sony Pictures by allegedly posting multiple statements and messages online. Intelligence officials believe with “99 percent certainty” that hackers working for the North Korean government were behind the attack. This is highly likely following a dispute over the upcoming release of a film ‘The Interview’, a comedy about a plot to assassinate North Korean leader Kim Jong-un. North Korean officials had previously expressed concerns about the film to the United Nations, stating that “to allow the production and distribution of such a film on the assassination of an incumbent head of a sovereign state should be regarded as the most undisguised sponsoring of terrorism as well as an act of war.” North Korea, however, denied all responsibility of the attack on Sony Pictures.
During the hack, GOP demanded that Sony withdraw the film ‘The Interview’, and threatened terrorist attacks at cinemas screening it. After many major U.S. cinema chains opted not to screen ‘The Interview’ in response to these threats, Sony elected to cancel the film’s formal premiere and mainstream release, opting to skip directly to a downloadable digital release followed by a limited theatrical release the next day.
- The impact of the cyberattack was disruptive. It knocked out computer systems at the company, and the damage from the wholesale distribution of internal documents was far more serious compared to other breaches. The primary goal of the cyber hackers was to intentionally harm and cause reputational damage to Sony, its employees and partners.
- A group of Sony Pictures employees filed a class-action suit against the firm, claiming that it had failed to maintain reasonable and adequate security measures to protect employees’ information from access and disclosure due to its lax computer security. Sony settled the case for roughly 15 million in April 2016 and agreed to provide a $2 million fund for reimbursement of preventive measures taken in the aftermath of the breach.
- The breach marked a significant turning point in the way the US government viewed and responded to cyberattacks. The US government hinted at potential retaliation against the culprits behind the Sony breach. By doing so, the United States is sending a clear signal to anyone coming after a U.S. company that they will experience the significant technical capabilities of the federal government by way of retribution. This response to a cybersecurity breach directed at a private company with something other than routine law enforcement proceedings was unprecedented and alarming. It suggested that the US government considered its job to protect the reputation and digital resources of every major company within its borders, thus blurring the distinction between attacks on private companies and government institutions.
It also opened the door for private companies to turn to the government to avenge attackers and at the same time, gave license to other governments around the world to involve themselves in industry disputes and leverage their cyber arsenals on behalf of businesses within their borders.
- Defence in many layers, from prevention to protection
Organizations have valuable and sensitive information in their possession and every organization is a potential target to cyber breaches. This realization is important and following which, what is even more important is taking action to protect yourself. There was a lack of basic cyber security precautions at Sony headquarters. Administrative computers were logged in and left unattended while guests were unaccompanied and left to wander. The alarming lack of basic cyber security protocol is a welcome mat for hackers. There must be qualified and proactive people in information security roles and imperative that companies employ cybersecurity experts to implement security precautions to take and see them through. Sony’s network also lacked basic cyber security protections, such as two-factor authentication and encrypted data. Having these in place could have minimized the amount of data hackers took and extent of damage. Without these basic protections, once Sony’s initial defences were breached, hackers had free reign to find and retrieve all the data they wanted. Putting secondary protections in place is important to make it harder for hackers to get information once they’re in the network. The key point is to not make a hacker’s job easy even if they have successfully infiltrated the system. Also, in addition to having the right tools, precautions, it is imperative to have qualified and trained personnel to actively monitor and manage these vulnerabilities.
- Offense is risky
In the absence of a clear incident response plan for how to mitigate a breach, Sony attempted to fight back against its attackers. They did so by initiating a series of denial-of-service attacks directed at sites hosting its stolen data. They also planted fake torrent files online hoping to misdirect users who were trying to find stolen films and data to download fake empty files instead. However, this was clearly unsuccessful in stemming the spread of the stolen information as media sources reported widely about the films and data. The cyber security team should have focused their efforts on mitigating the cyber breach by protecting existing data systems and information by implementing more security protocols and encryption, instead of trying to limit the spread of already compromised data.
- Information security should not operate in isolation
In Sony’s case, making a controversial movie about killing the living dictator of a nation known for cyberattacks should have triggered recognition of the need for increased cyber protection. There has to be active communication between the cyber security team and all departments, so that any vulnerabilities and possibilities of attacks due to projects and/or sensitive material/information can be identified promptly. Thus, allowing for better preparation of cyber protection and mitigation plans. The importance of being cyber aware of potential risks to secure and protect information of the company cannot be emphasized further.
Enjoyed this article? Curious to find out how you can better protect your organisation, data systems and critical accounts in the event of a cyberattack? Contact us now for an in-depth consultation to obtain cyber security measures best tailored for your needs. CyberForSec TM team will work with your employees, train them in cyber security awareness and guide them in adopting the appropriate cyber security skills in their work processes.
Sony Pictures employees who tried to log into their computers were greeted with the above graphic of a neon red skeleton featuring the words “#Hacked by #GOP,” and a threat to release data later that night if an unspecified request was not met.
“Warning: We’ve already warned you, and this is just a beginning. We continue till our request be met. We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey u we’ll release data shown below to the world.”
Enjoyed this article? Curious to find out how you can better protect your organisation, data systems and critical accounts in the event of a cyberattack? Contact us now for an in-depth consultation to obtain cyber security measures best tailored for your needs. CyberForSec® team will work with your employees, train them in cyber security awareness and guide them in adopting the appropriate cyber security skills in their work processes.