Euro Security Watch with Mathew J. Schwartz

Sony's 7 Breach Response Mistakes How the Movie Studio Fumbled Its Hack-Attack Reaction

The response by Sony Pictures Entertainment executives to the hack attack against their company provides a number of great examples for how not to handle a data breach.

See Also: How to Identify and Mitigate Threats on Your Network by Using a CASB

In the four weeks since Sony suffered its hack attack, the company has issued very little information about the breach, except to say that it was "a very sophisticated cyberattack." Sony's claim has been vindicated by the FBI, which says 90 percent of businesses would have also fallen for the attack, which it's attributed to North Korea - although not specifically its government. The FBI also commended Sony for quickly reporting the hack attack to law enforcement agencies.

But while the attack might have been advanced, Sony's response was not. To date, here are seven mistakes the company has made, many of which could likely have been avoided:

1. Failure to Spot the Breach. Sony's attackers were able to access the company's network for some period of time prior to the attack. While it's unclear if the breach lasted days, weeks or months, Sony doesn't appear to have detected the intrusion until attackers' malware had already exfiltrated large amounts of Sony data to attackers, then "detonated" on November 24, erasing hard drives and "bricking" systems by overwriting their master boot record.

2. Poor Breach Response. Sony has been slammed, most notably by President Obama, for caving to a demand from Guardians of Peace - the group that's claimed credit for the attack - that the studio never release a comedy that centers on an assassination plot against North Korean leader Kim Jong-un. "Pulling 'The Interview' was exactly the wrong thing to do, as there was no credible threat and it just emboldens the hackers," says security expert Bruce Schneier in a blog post. "But it's the kind of response you get when you don't have a plan."

While the attack might have been advanced, Sony's response was not. 

3. Shooting the Messenger. After Guardians of Peace began leaking stolen Sony data, the studio hired a high-profile attorney and threatened to sue media outlets that reprinted leaked data.

4. Contradicting Themselves. After hiring a celebrity spin doctor, Sony Pictures executives dug themselves in deeper by claiming that they had always meant to release "The Interview," despite previously saying the opposite. It's now due to open in some theaters on Christmas Day.

5. Ceding Control of the Conversation. After the breach, and indications that attackers had stolen executives' Outlook e-mail spools, the company could have proactively stepped forward, apologized in advance for the contents of those communications, and "rallied the troops" by vowing to never back down. By failing to do so, however, Sony executives allowed the attackers to, in effect, control the conversation. "Here's the brilliant thing they did," actor George Clooney told entertainment outlet Deadline, referring to Sony's attackers. "You embarrass them first, so that no one gets on [their] side."

6. Failure to Take Responsibility. Sony executives also failed to take proactive responsibility for the security breach, which resulted in current and former employees' personal information being leaked. "I don't think that anybody thinks that this was anyone's fault who works here, and I think continuity and support and going forward is what's important now," Sony Pictures executive Amy Pascal told Bloomberg News earlier this month. The attempted spin followed her issuing an apology to President Barack Obama after a racially insensitive e-mail conversation that she participated in was leaked by "G.O.P."

7. Hoarding Old E-Mails. Sony general counsel Leah Weil warned a studio executive this past year that employees should be purging their e-mail on a regular basis, Gizmodo reports, citing e-mails leaked by G.O.P. "While undoubtedly there will be e-mails that need to be retained and or stored electronically in a system other than e-mail, many can be deleted and I am informed by our IT colleagues that our current use of the e-mail system for virtually everything is not the best way to do this," Weil said.

Breach experts estimate that Sony's clean-up tab - including relating lawsuits - could hit $50 million or $100 million, thus nearly equaling or doubling the reported $44 million it spent to make "The Interview." State Department spokeswoman Marie Harf has called on North Korea to "admit their culpability and compensate Sony for the damages this attack cost."

Here's betting that Sony is left to pay that tab, in no small part because of executives' mistakes. But if executives play their cards right now and continue to release "The Interview" - hint: invite President Obama to a Washington-area premiere - together with some choice retorts to G.O.P., they could settle the breach bill and pave the way for a sequel. Sony, the next move is yours:

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network