The aftermath of the Sony Pictures breach that we first reported on two weeks ago continues to make headlines.
As the days pass it looks increasingly like the wound inflicted on the media giant was larger and more grievous than was initially assumed, but facts are still thin on the ground.
Naked Security’s Chester Wisniewski summarised what we know for sure in his recent Chet Chat podcast with Paul Ducklin.
The truth of the matter is that something bad happened.
...I don't think Sony probably has any idea what's been touched in a network that large.
We may never know for sure how bad the breach was but news organisations are attempting to fill the void by combing the internet for signs of the outflow.
If media speculation is to be believed then the theft and online distribution of unreleased movies like Annie and Fury that followed news of the break-in was just the tip of the iceberg.
Exfiltrated information found in massive files currently being traded on file-sharing networks such as Bit Torrent reportedly include the taxpayer IDs of more than 47,000 current and former employees and actors, including that of Hollywood celebrities such as Sylvester Stallone, Judd Apatow and Australian actress Rebel Wilson.
An analysis of 33,000 Sony documents by security firm Identity Finder reportedly turned up personal data, including salaries and home addresses, for employees who stopped working at Sony as far back as 2000.
The attack, which branded Sony employees’ computer screens with the glowing red skeleton trademark of a group calling itself Guardians of Peace, has also been linked with the doxing of employees’ home addresses, their medical histories, the results of sales meetings with local TV executives, and an unreleased pilot script written by Vince Gilligan, the creator of the enormously popular series Breaking Bad.
News organisation Buzzfeed has been sifting through 40GB of data it believes originated from the attack, and summed up its findings with the headline: This Is As Bad As It Gets.
The leaked compensation reports were extremely detailed, as well, covering employees from every rung of the corporate ladder, from executives with multimillion-dollar contracts to workers earning less than $21,000.
The salary reports also included each employee’s last three years of compensation, plus their target bonus, actual bonus, and base salary, going further still to compare employees to similarly situated employees in other companies and to review their proposed contracts for the next three years.
And still, it gets worse.
The documents, which were made public the weekend of 29 November, covered Sony’s human resources, sales, and marketing teams, among others.
But, if the attackers are to be believed, that’s just a fraction of the 100TB of data they got away with.
The FBI is investigating the breach. In the meantime, plenty of people are pointing fingers at North Korea – a charge the country first responded to by enigmatically telling people to “wait and see“. It has since denied responsibility.
At this point, Sony’s being bloodied in the media-regulated court of public opinion. Unfortunately these embarrassing developments are falling around the ears of a company that’s no stranger to severe cyber attack: in 2011, Sony’s PlayStation Network was breached leading to the leak of personal information of 70 million people.
On top of all this comes a report on Fusion that former employees have said that they raised alarms about specific vulnerabilities on company websites and systems that the company never addressed.
An anonymous ex-employee describes the information security at Sony Pictures as “a complete joke”.
It’s difficult to know where to put such damning revelations because we have no idea how fair a picture they paint.
With facts so thin on the ground, perhaps we should search for lessons instead.
If nothing else, the Sony Pictures attack is a reminder to look to our own companies and our own responsibilities within them. Or, as Naked Security’s Mark Stockley put it:
Rather than pointing and feeling smug about it, we should take a long, cold look at our own systems and ask how they'd look strewn over Pastebin.
From what little we know for sure about the breach, and what we can imply from the information apparently leaked so far, Sony’s security problems don’t seem all that unusual.
Naked Security’s Paul Ducklin and Chester Wisniewski discussed some of them in their most recent Chet Chat podcast.
They highlight that the fallout from this attack, and other recent breaches, suggests that too many staff have too much access to too many places. It seems that we all need to “divide and conquer” a bit better to contain attackers once they’ve breached the perimeter.
“Divide and conquer” (network segregation, stricter access controls, limiting write access) is part of “defense in depth.”
They sound like truisms. But there’s a reason they’re called truisms – because they’re true.
You can listen to Paul and Chester’s discussion on the Sony breach in the full podcast, embedded below: