Seth Shapiro's Business Innovation Blog

The hack of Sony Pictures Entertainment (SPE) has grown into a national Rorschach test,  a yardstick for all that’s ailing America: isolated corporate leaders, bankrupt celebrity culture, media manipulation and the threat of foreign aggression. A quick chronology:

#1: The Scandal.

The very unfortunate emails of some SPE execs were leaked in one of the earlier document releases. If you follow me on Facebook, you’ve seen my opinion on this.

#2: The Attack.

After the scope of the doc dump became clear, the assertions began: that the hack was due to The Interview – and that North Korea was the culprit.

This story was accelerated by the quick assertion by the FBI that substantive evidence pointed to North Korea – a position embraced by the White House and continued today.

However. the quality of that evidence has been called into question by many security experts – notably by Norse Security here and here, and by Bruce Schneier here – who assert that the evidence is flimsy at best.

#3: The Dirty Trick.

Many have called the incident a publicity stunt for The Interview. That argument dies once you understand that massive segments of Sony’s infrastructure were completely destroyed, and will have to be rebuilt from the ground up. A lighter argument against the dirty trick theory comes from my friend Ryan Holiday, here.

#4. The Inside Job.

There is increasing evidence supporting the assertion that the attack was at least partially an inside job – expect more people to take up this position as the days go on.

#5: Inadequate Protection.

So here’s the truth, or at least part of it:

Sony has had a speckled past in security and IT discipline. There are a long list of documented security failures, the best-known of which is the Playstation hack that began four years ago, exposing the customer information and credit card numbers of up to 77 million Playstation users.

In the words of Philip Hopbell, a 40-year veteran of Hollywood tech security:

“In April 2011, Sony’s Playstation and Qriocity networks were hacked – and as best as anyone can tell, this was accomplished with a simple SQL injection. Here, a fairly basic script is run on a website, gains access to a database, and allows the hacker to steal personal data.”

In other words, the barrier to entry was likely quite low. And the Playstation problems, by Sony’s admission, cost them over $171 million.

But this incident may have been part of a broader pattern, One writer has created a history of Sony hacks here. He lists 24 Sony security issues, and concurs with Hopbell:

“Sony has demonstrated they have not implemented what any rational administrator or security professional would consider “the absolute basics”… Several of Sony’s sites have been compromised as a result of basic SQL injection attacks, nothing elaborate or complex.”

Other security experts, including Department of Defense contractor Simon Higgs, date the problems back to 2001, and inclusion of problematic software on a range of Sony CDs. These included the infamous XCP rootkit – and resulted in massive PC problems for innocent customers.

The most damning item may be a 2005 CIO Magazine interview. Here, Sony’s SVP of Information Security called it a “valid business decision to accept the risk of a security breach”, and a reasonable business judgment to eliminate security costs of “$10 million to avoid a possible $1 million loss.”

The real costs may approach $1 billion.

All of this pales in comparison to the real victims of this incident: the thousands of Sony employees and contractors (past and current) whose social security number and personal information (including medical records, in some cases) are now online for all to see. This is the substance of at least one of the brewing class action suits filed by Sony’s employees:

“At its core, the story of ‘what went wrong’ at Sony boils down to… inexcusable problems: …Sony failed to secure its computer systems, servers, and databases… despite weaknesses that it has known about for years, because Sony made a ‘business decision to accept the risk’ of losses associated with being hacked.”

The bottom line: companies (especially those who are about technology) can’t be casual in their own houses. Hacking is as much a part of technology landscape as the Playstation, the Walkman or the Trinitron – and will continue to be.

And this story isn’t over yet.

Posted in Blog by Seth Shapiro.

Leave a Reply