On November 24th 2014 Sony Pictures was hacked by cyber terrorists who opposed the release of the movie “The Interview” (Seal, 2015). Sony’s computer network was hacked early in the morning as employees logged on to their computers to find a “blood-red skeleton baring its fangs, with the words ‘Hacked by the #GOP’” on their screens (Seal, 2015). Employees were instructed to shut down all of their computers and disconnect their personal devices from company WiFi as more and more employees saw the screen on their computers that is seen below (Seal, 2015). It was later found that the hackers used North Korean IP addresses, further bolstering the theory that the reason for the hacking was the impending release of the movie “The Interview” which was a comedy based on the oppressing role of North Korea’s dictator (DeLuca, Williams, & Winter, 2015). The damage to the information technology infrastructure was so deep that the company was not able to recover until February of 2015 (Pepitone, 2015). This hack has been called the “most serious cyberattack” in the history of the United States by the James Clapper, the United States Director of National Intelligence and the Federal Bureau of Investigation has confirmed that the government of North Korea was behind the hacks that hit Sony in November of 2014 (Deluca & Winter, 2015).
(Ragan, 2014)
In a sense, Sony succeeded by doing all they could in the wake of the unprecedented attack from the organized cyber crime group, #GOP. According to Time Magazine, the malware attack was not detected by Sony’s current industry standard antivirus software. During the investigation it was found that no organization would have been adequately prepared for this type of attack. (Frizell, 2014) Another item Sony was successful at was communication with their employees concerning the cyber-attack. December 2, 2014 a company-wide e-mail was sent out alerting employees of the depth of the cyber-attack. Sony leadership transparently communicated what they knew about the attack and emphasized that they appreciated each employees deep commitment and dedicated work to the company. (Robb, 2014)
Sony was unprepared for the cyber attack by not protecting their intellectual property and the sudden change in operational challenges of working without a network for a short period of time. Sony was not prepared for the sensitive intellectual property such as employees’ salaries, social security numbers, e-mail addresses, passwords, workplace complaints, and unreleased films to be released for the general public to access and view. (Frizell, 2014) Five Sony films (Fury, Annie, Mr. Turner, Still Alice, and To Write Love on Her Arms) were posted to the internet by the cyber criminals and resulted in millions of illegal downloads by users across the globe within a short period of time (Robb, 2014). A second area where Sony was unprepared, was that of the operational challenges it encountered (Schrage, 2014). Sony was very dependent on networks and devices to conduct their business. Once the cyber-attack was realized as being official, employees were asked to shut off their computers, and turn off WiFI for their mobile devices. Sony’s e-mail system went down and employees resorted quickly to using memos, personal cell phones, old Blackberry’s and temporary e-mail addresses to conduct any semblance of a normal workday (Seal, 2015).
One of the principles upheld by Sony during both during and after the cyber-attack was that of the employees enduring some stressful work conditions and continuing to relentlessly push forward with business in as normal a mode as possible under the circumstances (Frizell, 2014). On the negative side, a principle violated was that of integrity. The integrity of the stored data that Sony had in their 38 million released files was not well encrypted and once the hackers were able to access the network, they had full access to all of Sony’s data (Seal, 2015). This ties in closely with the availability of stored data, movies, personal information etc… Sony did not appear to have their internal data from personal information to movie files adequately secured to prevent a leak of such magnitude. Another principle violated was that of privacy on the part of all the employees. Social security numbers, email addresses, and other pertinent personal information was made public for billions of users over the web to access and review. Employees were coming to work terrified and unsure of what would happen next (Seal, 2015). As reports came in of employee’s credit card numbers being used to purchase online items and other employees applying for credit cards using personal information, panic began to take root (Seal, 2015). In reaction to these events, Sony setup a helpdesk of sorts where employees flooded to stand in line and sign up for credit protection and fraud alerts against their personal information (Seal, 2015). Even the FBI came in and assisted Sony with personnel counseling and identity theft classes (Seal, 2015).
The total impact of an information security incident is somewhat difficult to assess. On the most basic level there are financial impacts. In Sony’s case their preliminary fiscal third-quarter financial results revealed that the company planned to take a $15 million charge in the current quarter to cover “investigation and remediation costs” related to the breach (Musil, 2015). The major costs of the attack include the investigation into how the breach occurred, repair or replacement of computer systems, and steps to prevent a future attack. While these financial figures should have little effect on Sony Pictures Entertainment, which reported operating profit of $501 million for the fiscal year through March, there is a cost to their reputation that cannot be easily computed. Will high-profile stars continue to work with them if they are concerned with the safety of their personal information? There is also the risk that producers or financiers decide to take their projects to competitors. Another difficult to compute effect is the cost of the loss of trade secrets. The hackers released documents that include contracts and marketing plans that could easily influence competitors’ strategies (Richwine, 2014). On another level, there the personal cost of these types of incidents. Sony Pictures Entertainment co-chairman Amy Pascal stepped down from her position. She was a central figure in some of the drama that ensued from the hack. It was Ms. Pascal’s leaked emails that were considered racially insensitive. While one would hope that Sony has learned something about protecting or preventing themselves from attacks like this in the future, it was only four years ago that Sony PlayStation online gaming networks were hacked which put sensitive details, such as personal information and perhaps credit card numbers, at risk for 77 million customers (Pepitone, 2011).
So how do companies like Sony, Target, Home Depot, and countless others, better prepare themselves for cyber criminals and attacks? The answer isn’t what we might think it should be. Current law does not offer much in the way of support for organizations looking to defend themselves from attack. Sony, like many companies, called the FBI and requested assistance in finding the culprit behind the cyber-attack. What is very interesting, is that technically, the FBI, CIA, and NSA are under no obligation to provide any support if they chose not do to so. (Schrage, 2014)
Resources
DeLuca, M., Williams, P., & Winter, T. (2015, January 7). Sony Hackers ‘Got Sloppy,’ Used North Korean IPs: FBI Director. Retrieved April 24, 2015, from http://www.nbcnews.com/storyline/sony-hack/sony-hackers-got-sloppy-used-north-korean-ips-fbi-director-n281556
DeLuca, M., & Winter, T. (2015, January 7). Sony Hack Most Serious Cyberattack Yet on U.S. Interests: Clapper. Retrieved April 24, 2015, from http://www.nbcnews.com/storyline/sony-hack/sony-hack-most-serious-cyberattack-yet-u-s-interests-clapper-n281456
Frizell, S. (2014, December 8). Internal Memo: Sony Could Not Have Prepared For ‘Unprecedented’ Hack. Time Magazine. Retrieved from http://time.com/3623456/sony-hack-unprecedented/
Musil, S. (2015, February 4). Sony Pictures hack has cost the company $15 million so far. Retrieved from cnet.com: http://www.cnet.com/news/sony-pictures-hack-to-cost-the-company-only-15-million/
Pepitone, J. (2011, May 10). Massive hack blows crater in Sony brand. Retrieved from CNNMoney.com: http://money.cnn.com/2011/05/10/technology/sony_hack_fallout/
Pepitone, J. (2015, January 23). Sony Hack: ‘Critical’ Systems Won’t Be Back Online Until February. Retrieved April 24, 2015, from http://www.nbcnews.com/storyline/sony-hack/sony-hack-critical-systems-wont-be-back-online-until-february-n292126
Ragan, S. (2014, November 25). Hackers suggest they had physical access during attack on Sony Pictures. Retrieved April 24, 2015, from http://www.csoonline.com/article/2851649/physical-security/hackers-suggest-they-had-physical-access-during-attack-on-sony-pictures.html
Richwine, L. (2014, December 9). Sony’s Hacking Scandal Could Cost The Company $100 Million. Retrieved from BusinessInsider.com: http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12
Robb, D. (2014, December 22). Sony Hack: A Timeline. Retrieved from http://deadline.com/2014/12/sony-hack-timeline-any-pascal-the-interview-north-korea-1201325501/
Schrage, M. (2014, December 17). The Sony Hack Shows How Lawless the Internet Really Is. Harvard Business Review. Retrieved from https://hbr.org/
Seal, M. (2015, March). Sony’s Hacking Saga over The Interview; Seth Rogen and Evan Goldberg Speak Out. Retrieved April 24, 2015, from http://www.vanityfair.com/hollywood/2015/02/sony-hacking-seth-rogen-evan-goldberg