News media and social networking sites are ablaze with discussions about Sony Pictures and its film, "The Interview." Everyone has an opinion, and many seem to want the company to stand up for First Amendment rights of creative artists, and not surrender to threats by politically-motivated hackers.
These are all valid concerns. However, Sony seems to be at the nexus of several important, related issues that shouldn't be confused nor overlooked:
- Whether or not Sony Pictures should have made the film, "The Interview."
- Sony Pictures decided to cancel the Christmas release of the film. Many people feel this was a bad decision, arguing that the company surrendered to the hacker's threats, and that surrender encourages more attacks by politically-motivated hackers.
- Sony Pictures considers how to release the film (e.g., streaming?) given liability and safety concerns. It may use its Crackle video-streaming service.
- Several news media outlets published the content of e-mail messages stolen during the hack attack. Despite First Amendment rights in the U.S., Sony threatened legal action against news media outlets that published more e-mail messages. Some people supported Sony's position.
- The theft and publication of e-mails with embarrassing and insulting content is a reminder of the fragility of online privacy: nothing you say, type, text, post or do online can be guaranteed to remain private. This is important, especially given the growth in usage of "erasable" social services (e.g., Snapchat) and cloud services.
- The data breach raised concerns that Sony allegedly failed to adequately protect both its networks and servers wtih sensitive information it was entrusted with. The latest data breach affected both current and former employees.
- Several lawsuits have been filed against the company by current and former employees regarding #6, and
- The U.S. government weighs a "proportional response" given national security concerns of hacking attacks by a foreign country. North Korea denied the cyber-attack, and then proposed a joint investigation with the USA. The USA later rejected that proposal.
This latest data breach at Sony was not the company's first incident. It experienced several breaches during 2011, notably a massive incident at Sony Playstation Network affecting 77 million customers, and at Sony Entertainment Network. Later that year, Sony executives apologized. Earlier this year, the company agreed to a settlement resolving lawsuits about its Playstation Network breach. However, there's more. Forbes magazine reported:
"An email from Courtney Schaberg, VP of legal compliance at Sony Pictures, to general counsel Leah Weil, dated 16 January 2014, reported a compromise of the Sonypictures.de site. The website was swiftly taken down after it emerged the site had been hacked to serve up malware to visitors. Schaberg also expressed concern that email addresses and birth dates for 47,740 individuals who signed up to the site’s newsletter had been accessed by the attacker. On Friday 17 January 2014, Schaberg told Weil that it was unclear whether personal information had been taken as an investigation by a third party would not start until the following Monday, but it was unlikely Sony would disclose the breach publicly."
After the Sony Pictures cyberattack, both current and former employees have already filed lawsuits. TechCrunch described some of the details:
"... Christina Mathis and Michael Corona have filed a federal court complaint against the movie studio, alleging that the company did not take enough precautions to keep employee and employee family data safe... The complaint references tech blog reporting to note that Sony was aware of the insecurity on its network..And it cites several instances of Sony failing to adequately inform former employees of the situation... there were only 11 people on the Sony information security team at the time of the hack..."
The plaintiffs seem to have several valid concerns. Krebs On Security reported:
"According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information. What’s more, it’s beginning to look like the attackers may have destroyed data on an unknown number of internal Sony systems."
Krebs on Security also reported:
"Several files being traded on torrent networks seen by this author include a global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals... Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data."
So, the sensitive personal data stolen is out in the open where criminals can use and abuse it. And, there may be more. The hackers have threatened to release more stolen information if Sony Pictures releases the film.
On December 15, Sony Pictures published several breach notices, including this general breach notice to its current and former employees (Adobe PDF) worldwide. Accompanying this general notice are several specific notices for residents in the United States, Canada, and Puerto Rico. There are detailed breach notices for residents of Maryland, Massachusetts, North Carolina, and Puerto Rico.
The Sony Pictures breach notice for Massachusetts residents (Adobe PDF) listed the specific data exposed and probably stolen:
"... the following types of personally identifiable information that you provided to SPE may have been subject to unauthorized acquisition: (i) name, (ii) address, (iii) social security number, driver’s license number, passport number, and/or other government identifier, (iv) bank account information, (v) credit card information for corporate travel and expense, (vi) username and passwords, (vii) compensation and (viii) other employment related information. In addition, unauthorized individuals may have obtained (ix) HIPAA protected health information, such as name, social security number, claims appeals information you submitted to SPE (including diagnosis), date of birth, home address, and member ID number to the extent that you and/or your dependents participated in SPE health plans, and (x) health/medical information that you provided to SPE outside of SPE health plans..."
If any items had been encrypted, Sony Pictures probably would have mentioned it. Why wasn't this sensitive information encrypted? That's one problem. Next, the data stolen includes the mother-lode of personal, financial, and healthcare information; stuff identity criminals seek for reselling proftiably to other criminals, for impersonating breach victims both online and offline, for taking out fraudulent loans, and for obtaining free health care services.
Sony Pictures has arranged for 12 months of free identity-protection services with AllClearID. As I have written before repeatedly, 12 months is insufficient. the data elements stolen do not magically become obsolete in 12 months. Five or ten years of identity-protection services would be better.
Sony's latest breach, and unencrypted data storage, makes one doubt that its executives have truly learned from prior data breaches; whether the company's executives have truly embraced best practices for data security, or continue to cut corners. As TechCrunch reported:
"Sony Director of Information Security Jason Spaltro even gave an interview in 2007 whose whole point was to revel in Sony’s security loopholes: “it’s a valid business decision to accept the risk” of a security breach. “I will not invest $10 million to avoid a possible $1 million loss,” he said at the time. This hack is estimated to cost Sony $100 million after all is said and done. The last one cost the company a cool $171 million..."
[December 24 update: Sony Pictures reversed its prior decision and will release the film in select theatres on Christmas.]