On 11/24/2014, the Guardians of Peace (#GOP) announced on Reddit that they had hacked Sony Pictures Entertainment’s network, alleging that #GOP had stolen 100 terabytes of data. The stolen data laid out for public consumption in various data dumps around the Internet included both employee information—social security numbers, dates of birth, medical records, salary information—and corporate information—spreadsheets containing Sony layoff information, business plans, their network architecture, movie scripts, and even actual movies—and other confidential information. Then the attackers destroyed data to emphasize that their demands were serious.
While Sony has not commented much publicly except to yank The Interview (formerly scheduled to be released on Christmas Day), there has been considerable speculation on the person or groups responsible. The story—as we know it at this moment—sounds like a movie plot. (Are you listening Sony? When ya gonna make this movie?) There’s spies, hacking, extortion … all the elements of a great plot … except a hero/heroine.
Sony you get to play the whimpering coward sniveling in the corner. Who’s going to step up to be the hero? That’s the question.
As I see it there are four possible hacker group combinations:
- The North Koreans hacked Sony because of the movie Sony produced called The Interview. It’s a comedy, and probably not a very good one.
- One or more disgruntled Sony employees took the data. How many people has Sony laid-off?
- The North Koreans and the disgruntled employee group separately hacked Sony.
- The North Koreans managed to get someone inside Sony.
In my opinion, in order to steal this much data, someone inside Sony had to help. Also, the data sounds like it’s very organized. Whoever stole it knew where to look and what to take and what to post first to make it hurt. And it has a personal feel to it. No, it’s more than the North Koreans.
For a more in-depth analysis of the hackers, read Why the Sony hack is unlikely to be the work of North Korea.
North Korea: if you’re reading this, it’s just a movie. There have been several movies made about US presidents getting assassinated; here’s a few:
- Vantage Point
- Death of a President
- The Manchurian Candidate (1962)
- The Manchurian Candidate (2004)
And of course, Wag the Dog cannot be left out of any movie list that discusses the death of a president’s political life.
I agree with President Obama that pulling the movie was a mistake.
However, there are some lessons we can all learn here:
- Email is not private. Before you send any email, decide how you would feel if it ended up on the front page of the New York Times.
- This is not the first time Sony has been publicly hacked. Remember the PlayStation Network debacle in April 2011, which affected 77 million customer accounts? This was followed by an attack May 2, 2011, on 24.5 million accounts at Sony Online Entertainment. Did Sony learn anything from those two incidents? Apparently not.
- Compliance is not security! Doing the minimum necessary to comply with a law or laws is not enough to keep your information safe.
- Just because you have a security breach doesn’t mean you have to lose a 100 terabytes of data.
- If the company you work for does not take information security and privacy seriously, find someplace else to work. According to com, Sony has had 195 security breaches from September 1, 2013 through June 30, 2014, according to leaked emails. However, it’s hard to determine the seriousness of the incidents from the information presented.
How can you tell if your employer is taking security and privacy seriously? Do they say “security is important” but cut the budget? Do they train employees on security and privacy? Do they patch their systems and keep their software updated? Have they had a breach? What did they do?
- If the company that you buy goods or services from does not protect your information, take your business elsewhere.
Vote with your feet and your money! Protect your information; there’s no one that it matters more to than you.