Sony's Breach Notification: The Details

Compromised Information, Including Health Data, Described
Sony's Breach Notification: The Details

Sony Pictures Entertainment has issued a breach notification letter to its current and former employees following a Nov. 24 "wiper" malware attack that led to massive amounts of internal data getting leaked online.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The company has also been hit with a class action lawsuit by former employees for failing to protect their private information.

In the letter, Sony Pictures confirmed that personally identifiable information, including healthcare data, for employees and their dependents may have been compromised as a result of a "brazen cyber-attack."

The official notification follows the widely reported leaks of not just high-quality digital versions of unreleased movies, including a remake of "Annie" and the Brad Pitt World War II drama "Fury," but also sensitive internal documents listing all employees' salaries, among other details.

Information Exposed

Information that may have been taken by the hackers, according to Sony's notification letter, includes names, addresses, Social Security numbers, driver's license numbers, passport numbers and/or other government identifiers, bank account information, credit card information for corporate travel and expenses, usernames and passwords, compensation and other employment-related information.

In addition, the hackers may have obtained HIPAA protected health information, including health insurance claims appeals information submitted to Sony. That information includes diagnosis and disability code; date of birth; home address; member ID number to the extent that an employee and their dependents participated in Sony's health plans; and health/medical information provided to Sony outside of the company's health plans.

Affected employees are being offered free identity protection services for one year through AllClear ID. "To protect against possible identity theft or other financial loss, [Sony] encourages you to remain vigilant, review your account statements, monitor your credit reports and change your passwords," the company says in its notification letter.

Sony tells its employees in the letter that after the attack, it took prompt action to contain the data breach, engaged security consultants and contacted law enforcement.

Earlier news reports indicated that the health information was taken from various spreadsheets and e-mails. One leaked document, for instance, listed the most expensive medical procedures undertaken by the company's employees in 2012, according to pop culture news site Fusion. A report by the Japan Times says an e-mail was leaked between Sony's insurer, Aetna Inc., and its human resources department over a denied claim that contains the name of an employee and the type of surgery the worker's spouse had.

Sony Pictures has also updated the homepage of its website to notify its employees about the compromise of personal details, including health information.

The company did not immediately respond to a request for comment.

'Valueless Gesture'

Sony Pictures' cyber-attack is unprecedented, says Neal O'Farrell, executive director at the Identity Theft Council, "not only in the apparent motivation, but the amount and type of information the thieves got their hands on."

The fact that impacted individuals are only being offered free identity protection for a year is a "hollow and largely valueless gesture in this case," O'Farrell contends. "The thieves have so much information [that] many of these employees could be dealing with the aftermath for years - long after Sony has moved on from it. A lifetime of free protection and support would be a minimum, and even that might not be enough."

Class Action Lawsuit

Sony Pictures is also facing its first class action lawsuit by former and current employees who are blaming the company for failing to protect their private information.

Keller Rohrback, a Seattle-based law firm, filed the lawsuit on Dec. 15 in federal district court in Los Angeles on behalf of several former employees of Sony. The complaint alleges that Sony was negligent and violated various states' consumer and data protection laws, according to the law firm. In addition, the former employees allege that Sony failed to secure weaknesses that had been known for years, in turn exposing their private information to hackers.

The employees are asking the court to order Sony to pay for enhanced credit monitoring services, identity theft insurance and credit restoration services, among other requests for relief.

"Given the repeated data breaches suffered by Sony, as well as recent significant data breach events in the retailer context, Sony knew or should have known that such a security breach was likely and taken adequate precautions to protect its current and former employees' [personal information]," the complaint says.

Breach Recap

On Nov. 24, Sony Pictures Entertainment was hit with destructive "wiper" malware identified as "Destover," which is also known as "Wipall." The malware reportedly infected and erased hard drives at the movie studio (see: Sony Hack: 'Destover' Malware Identified). Following the attack, a group called Guardians of Peace claimed credit.

The Federal Bureau of Investigation confirmed Dec. 1 that it's assisting in the Sony breach investigation. "The FBI is working with our interagency partners to investigate the recently reported cyber-intrusion at Sony Pictures Entertainment," the FBI said in a statement provided to Variety. "The targeting of public and private sector computer networks remains a significant threat, and the FBI will continue to identify, pursue and defeat individuals and groups who pose a threat in cyberspace."

Three weeks following the attack, Sony hired a prominent U.S. attorney to threaten to sue media outlets that reproduce the leaked information, and to demand that they delete all leaked e-mails, contracts and other information (see: Sony Breach Response: Legal Threats).

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.