Sony Breach is Wakeup Call for Businesses

In November of 2014, Sony Pictures experienced a data breach so large that it was described as "unparalleled" and "unprecedented" by Kevin Mandia, head of Mandiant Security Consulting Services, hired by Sony to investigate the event.

Attacked by "Guardians of Peace"

Launched by a group calling themselves the Guardians of Peace, or GOP, the attack on Sony was carried out via torrent sites using package files and links. The result was a data breach large enough to compromise the information of at least 4,000 current and past Sony employees as well as give the GOP insight into the "inner workings" of the company.

Risk Based Security (RBS), an industry security firm, contacted the GOP in an attempt to get more information about the breach. The response included veiled threats indicating that the attack wasn't over along with a link that led to a dormant Facebook page. As the breach spread, the GOP began to send other messages with more specific threats, some of which referenced a Sony film called "The Interview," which was set to be released in late December.

Massive Data Compromise

The breach effectively shut Sony down for a period of time. Film shoots were canceled, investigations were launched and employees began filing law suits against the company for failing to protect personal information.

To complicate the situation, the GOP began to release stolen data beginning in early December. Information was wide and varied and included sensitive material such as:

  • Employee names and IDs
  • Social security numbers
  • Email addresses
  • Phone numbers
  • Passwords and login information for multiple services
  • Work histories
  • Details of salaries and medical coverage
  • Passport and travel details
  • Sales reports
  • News site credentials
  • Publicity files
  • Celebrity contact information and aliases
  • Unreleased movies

By uploading the compromised data to torrents, the hackers made it available to the general public and put thousands of Sony employees as well as celebrities who worked on Sony films at risk for malicious attacks, identity theft and invasions of privacy. The movie files alone were downloaded over 100,000 times by users, and it's unknown exactly how many people gained access to the other information.

This wasn't the first time that Sony experienced data compromise. In 2011, a series of attacks was launched on the PlayStation network. These incidents serve to highlight the need for companies to have solid data security measures in place.

Suspects but No Solutions

Although it was never determined exactly who the Guardians of Peace were, many suspected that the group may have been made up of North Koreans who were upset about the pending release of "The Interview." Due to the movie's political content, North Korea had already complained to the UN about its release, stating that it would consider the appearance of the film in theaters to be an "act of war." However, other sources pointed to China as the source of the breach.

Whoever was behind the attack and whatever their ultimate goal was, the Sony security breach could have long-lasting consequences for the company. The fact that Sony was already aware of vulnerabilities in its data security measures raises questions of trust between the company and its employees. It creates concerns regarding the overall security of working at or with Sony in the future and is likely to have a negative impact on the company's public image.

The Sony breach is a wakeup call for businesses that aren't putting enough time and money into their personal information privacy efforts. To keep employees safe, companies have to know exactly how much data they have stored and develop a comprehensive plan to protect it at all costs.