One month on…
It’s now a month on since an image of a skeleton appeared on Sony Pictures Entertainment computers and a message stating, “Hacked By #GOP” (GOP - Guardians of Peace)
This was accompanied by threats that “internal data” would be released publicly if demands were not met. It is understood that malware began to wipe hard drives of systems causing panic throughout the organization and that significant amounts of critical intellectual property and confidential data was stolen.
Four weeks on and we now know that 33 gigabytes of data has leaked by hackers so far. Initial analysis of the publicly exposed data includes more than 47,000 unique Social Security numbers.
And, this being a Hollywood movie factory, names included movie stars (apparently, Sylvester Stallone was listed) and other Screen Actors Guild members, directors, writers and makeup artists.
The leaked data also included employee birth dates, medical information, login credentials and sensitive human resources data (like salaries and information on terminations). More than enough to perpetrate comprehensive identity theft and consequential crimes against the victims.
Beyond the massive disruption caused and the required IT clean-up, several Sony movies have also been leaked online. Brad Pitt's recently released World War II film “Fury” has already been illegally downloaded 500,000 times according to a Bloomberg article. Other leaked movies include “Annie”, “Still Alice,” “Mr. Turner,” and “To Write Love On Her Arms.”
The Interview – The harshest review of a movie ever?
Of course, the suspected catalyst for the cyber-attack was the now infamous movie, “The Interview”. The widely-accepted theory is that the film was met with such disapproval by the North Korean state that Sony were threatened with both wide-ranging cyber and even physical attacks if the movie was not stopped.
Why? The plot of the movie centers on two journalists tasked with assassinating North Korea dictator Kim Jong-un.
The movie has now been dropped from general release, seen as a capitulation by Sony to the cyber attackers’ demands, and the reported $44M cost of the production* is unlikely to be recovered (although there are now plans for independent cinemas to screen the movie).
Of this $44M figure, Seth Rogen was reportedly paid $8.4 million while co-star James Franco earned $6.5 million (maybe the only two winners out of the entire episode).
But North Korea weren’t alone in disliking the movie. Variety magazine commented “…be advised: An evening of cinematic waterboarding awaits.” and “The hype around “The Interview” suggests a take-no-prisoners dirty bomb of a movie, but the reality is more like a deflated whoopee cushion. It goes splat”. Despite the critical dislike of The Interview, it seems more likely that the North Koreans are behind the attack and an initial FBI-backed investigation and report* supports this.
Who will pay the price? And what will the cost be?
Despite the write-off for The Interview and the other losses related to the other leaked movies, it is reported that the most damaging costs to stem from the breach would be "shareholder related litigation alleging deficiency of internal controls and breach of fiduciary duty.”
This would be in addition to the many class action lawsuits from employees and ex-employees alleging that the studio failed to take adequate precautions to protect private information. A lawsuit filed in federal court in Los Angeles last week is similar to three others filed earlier this week, alleging negligence on the part of SPE and violations of privacy laws.
And at an individual level, it may yet cost the head of the company, Amy Pascal*, her job. Leaving aside the lack of governance at the company that allowed the attack to succeed and the losses to be so damaging, there have also been emails leaked from the attack that would have caused huge personal embarrassment. Most damaging from a public relations perspective is a series of racially-charged jokes Pascal made with producer Scott Rudin for which they have been forced to apologize. In addition, there has been a series of other email revelations including jibes and criticism of a number of leading Hollywood actors.
“A Wake up call for U.S. Corporations” (and everyone else)
What does it mean for the rest of us? Brian Krebs has summed it up succinctly. Writing on ‘Krebs on Security’ in relation to Sony Picture Entertainment* breach he commented “If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is.”
And he is right. This should serve as a wake-up call at all levels – shareholders, executives, employees.
Your organization may not be stirring up any hornets nest like Sony Pictures were doing, but do you have any competitors that may want to steal your company intellectual property? Or disgruntled employees that want to hit back? Or unhappy customers that would like to see your company suffer? Are there any ethical objections to your business practices or could someone get a kick out of vandalizing your IT systems just for fun? What if your company systems were breached and held to ransom by internet-savvy racketeers?
Hacking methods are no different to other technology-based commodities in that they inevitably become more universally understood and then replicated on a wider basis. Next year will see both more advanced malware than this year, and at the same time, a raising of the bar in terms of the ‘average’ cyber-attack. Put another way, the opportunity to instigate a Sony PE-style attack won’t stay as just the preserve of state-sponsored hackers.
While we all continue to use internet-connected systems and provide employee-access to our internal networks, our company data, operational balance and our good name are vulnerable to a potential cyber-attack.
Conclusion: Time to face facts, take action
The only way forward is to get serious about cyber security and implement comprehensive, layered security defenses and operational procedures.
Advanced breach detection and file integrity monitoring measures are essential to provide contingency for anti-virus fallibilities.
The need to educate staff in safe computer usage and monitor all user activity to detect any unusual behavior is as important as any Health and Safety training.
Locking down and hardening systems to remove vulnerabilities will prevent hackers from exploiting any weaknesses is as important as any physical security implemented at your business premises. If it does compromise system operation and business agility, it should be seen as a necessary price to pay, like wearing name badges, door card swipes and gates on the car park.
And as importantly, start to assume you will be breached at some stage – focus on file integrity monitoring and intrusion detection as much as defense measures and encrypt and tokenize data so that even if it is stolen or lost, damage will be limited.
2014 feels like a watershed year – roll up all the high-profile breaches involving Staples, Home Depot, Dairy Queen, HSBC, Ebay, Korea Credit Bureau and Kmart, then factor in other data breaches such as The Snappening and Sony PE, and it begins to look like the point where ‘something must be done’.
That ‘something’ needs to be a shift in priorities for cyber security understanding, resourcing, spending and operational emphasis. The time for action is now. Happy New Year!