In 2005, Sony Pictures Entertainment was audited to ensure the company was keeping in line with federal regulation regarding information security practices. The auditor found, among other things, that Sony had deliberately engaged in insufficient digital security practices, including allowing employees to use basic proper nouns as passwords instead of requiring them to use a complex system involving random letters, numbers and punctuation marks.
If Sony were a bank, the auditor said, its lackluster security practices would put it out of business.
Sony’s then-executive director of security information Jason Spaltro pushed back: If a bank was a Hollywood film studio, he said, it would already be out of business.
“It’s a valid business decision to accept the risk (of a cyberattack),” Spaltro told CIO Magazine in 2007. “I will not invest $10 million to avoid a possible $1 million loss.”
Sony’s attitude toward cybersecurity reflected the way Internet users viewed the online world at the time. Smartphones, cloud storage and even portable computing hadn’t reached critical mass. Computers were still these things, by and large, tied to a desk — people logged on, checked the news, read and responded to e-mail and talked with each other in chat rooms or over instant message. Hacking groups were less mainstream, more rooted in geek folklore — the biggest threat facing home and corporate Internet users at the time came from e-mail attachments potentially infected with computer worms or viruses — something that good, and often free, commercial virus scan software could usually combat.
The Internet times, they have a-changed
Nearly a decade later, the Internet is a very different place. Our digital lives and businesses are almost entirely committed to “the cloud,” whether it’s hosting confidential documents on a corporate Intranet or uploading our intimate photos and videos to Dropbox and iCloud. We communicate instantaneously with face-to-face conversations or by broadcasting our thoughts and opinions in carefully-crafted (but sometimes not) micro-blog posts.
Hackers are no longer limited to high-skilled computer scientists and agents of espionage — collectives such as Anonymous and Lulz Security comprise themselves of average, everyday computer citizens who toggle between researching homework, playing Xbox and bringing down web services. They use a complex series of skills to compromise data from organizations they disagree with, or they use incredibly-simple software to flood a website with traffic in an attempt to cripple it. They’re motivated by government wrongdoing, corporate greed or boredom. They steal secrets. They settle scores. They wreak havoc just for kicks.
Internet threats evolved from something incredibly complex and rare to something seemingly simple and common. Every month, it seems some company is the latest victim of a cyberattack, perpetrated by a foreign or domestic group for any number of reasons. Within the past year alone, dozens of companies have fallen victim to cyberattacks, including JPMorgan Chase, Target, Home Depot, Dairy Queen and P.F. Chang’s restaurant, just to name a few.
The sheer number of data breaches involving major companies prove that corporate America takes an old-school and outdated approach to cybersecurity. In the past four years, Sony — the company that said it would rather take a $1 million hit than invest $10 million in boosting its digital security — has been hit by hackers not once, not twice, not three times, but four times.
In April 2011, hackers compromised tens of millions of user accounts in an attack targeting Sony’s PlayStation gaming network. The attack — the largest compromise of data in four years — rendered the PlayStation Network service unusable for days. Two months later, members of the hacking community Lulz Security compromised user information in an attack targeting the website of Sony Pictures Entertainment, the film wing of the company.
Both attacks exposed the company’s blatant disregard for security. In the case of the PlayStation attack, it was revealed Sony had stored sensitive user information unencrypted on its servers. Sony attempted to make things right with customers by offering free PlayStation Network subscriptions, free games and a pledge to do better going forward.
Three years later, it’s abundantly clear that Sony’s old-school approach to Internet security is still the usual course of business.
In August, Sony’s PlayStation Network was again attacked by a hacking collective calling itself the “Lizard Squad.” The hackers said in a series of posts on Twitter their intention behind the attack was to raise awareness of Sony’s dismal security measures. The Sony PlayStation Network was briefly taken offline, but unlike the 2011 attack, no user information appeared to have been compromised. The attack was, at most, an inconvenience for Sony’s customers.
But the latest compromise to befall Sony seems to be the most serious — and is a glaring indictment that the company has yet to take a serious approach to security.
Sony is not a blameless cyberattack victim
In late November, Sony Pictures Entertainment again found itself the victim of a computer intrusion when a hacking group calling itself the “Guardians of Peace” (GOP) managed to commandeer a network used by Sony employees. The hackers stole, and later published, spreadsheets detailing confidential Sony business practices, including the salaries of high-ranking executives and medical billing information of employees. The hackers also apparently stole and distributed several forthcoming Sony films that have yet to be released in theaters, including “Still Alice” and a reboot of “Annie.”
The compromise was suspected to be the work of hackers working for or in favor of the North Korean government, an apparent response to the Seth Rogen and James Franco movie “The Interview,” an upcoming Sony Pictures film that centers around the fictitious assassination of North Korean leader Kim Jong-un. Anonymous sources told several news organizations that the attack was similar to one targeting South Korean television stations, which were also blamed on North Korea.
A North Korean diplomat told Voice of America Thursday that the country had no involvement in the compromise. Several technology journalists, including Wired’s Kim Zetter, have also cast doubt on North Korea’s involvement; in an interview with a public radio program, Zetter asserted that “nation state hacks aren’t generally noisy like this.”
Who is responsible for the attack isn’t nearly as important as how the attack was allowed to happen. Some former employees are offering clues as to just that — and it looks very bad for Sony.
“Sony’s information security team is a complete joke,” a former employee recently told the news startup Fusion. “We’d report security violations to them and our repeated reports were ignored.”
Another employee said the information security department — a team of just 11 employees — would conduct risk assessments to check the health of the company’s digital security infrastructure, but often would not act on the recommendations that came from those audits.
“The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” the former employee said.
Sony’s failure to put in place proper digital security measurements could cost it more than money. The attacks are likely to cost the company the trust of even its most-loyal customers. In 2014, consumers are willing to forgive one cyber compromise as an annoying, but routine, part of doing business, something almost inevitable. But four attacks in three years? That’s an indication of sheer incompetence or blatant disregard for safeguarding sensitive information.
By the way, Jason Spaltro — the executive from the beginning of this article who suggested the company not spend $10 million to combat a potential $1 million risk — still works at Sony. He has since been promoted to vice president of information security — one of the top executives tasked with ensuring things like the Sony Pictures hack don’t happen. He makes close to $700,000 a year: $300,000 base salary and a $400,000 initiative-based bonus. We know this because hackers published his employment information last week.
Matthew Keys is a contributing journalist for TheBlot Magazine.