(The following story has been updated with comment from Amazon.)
“They did it again,” said Brian Strange, attorney with Strange & Carpenter, referring to the massive security breach Japanese electronics conglomerate Sony suffered on Nov. 24th—the second major security violation the company has faced in the past three years. Strange was one of the attorneys on the class action lawsuit that was filed against Sony in 2012 after 77 million members of its PlayStation Network had their personal information stolen by hackers.
Sony settled that suit in July, agreeing to give away $15 million of games and services to those affected. Now, less than six months later, a second class action suit is in the cards from employees of Sony Pictures Entertainment, with current and former employees seeing reams of personal information—including social security numbers, health insurance reimbursements and performance evaluations with salaries—exposed to the world. The data leak affected 47,000 people, including actors and contractors—not to mention Sony’s reputation.[more]
“Much of this information was stored in unencrypted, and often non-password-protected, files that were easy picking for determined hackers,” Buzzfeed reports.
“To be sure, the two batches of leaked files from Sony Pictures exhibits a remarkably lax approach to data security, such as one directory called ‘passwords’ with more than 100 documents containing logins and passwords for business services like LexisNexis and Bloomberg along with personal services like Fidelity.”
At the center of the company’s global IT (and reputation) meltdown: Sony’s upcoming film The Interview, which is still scheduled for release on Christmas Day, and which may (or may not) have led to the latest security attack.
In the film, Dave Skylark (James Franco) and Aaron Rapoport (Seth Rogen) of tabloid TV show Skylark Tonight land an interview with North Korean leader Kim Jong-un, who is a fan of the show—a plot no doubt inspired by Vice’s “TV coup” in bringing Dennis Rodman to North Korea. En route to Pyongyang, the CIA recruits them to assassinate him.
A critical scene in the film in which Kim Jong-un’s head explodes gave particular concern to “the highest ranks of the global conglomerate,” Re/code reports, after combing through the gigabytes of email messages that hackers released between Sony Pictures Co-Chairman Amy Pascal, President Steven Mosko and Seth Rogen. (Those emails were nowhere near as incendiary as the leaked communications between Pascal and producer Scott Rudin detailing the studio’s loss of a Steve Jobs biopic to Universal—and more is to come.)
As Buzzfeed notes, the death scene in The Interview “was so bloody it apparently prompted Kaz Hirai, CEO of Sony Corporation, to express some unspecified worries, according to the emails. North Korea denounced the film to the United Nations and to President Obama, and called it, among other things, ‘an act of war.'”
The hackers, who call themselves the Guardians of Peace (GoP), reportedly sent extortion emails to Sony to get them to cancel the movie release and presumably plan to take down more companies by infiltrating weak IT firewalls, according to security analysts.
While Re/code reported that Sony may be using Amazon Web Services to disrupt downloads of its stolen files, an Amazon spokesperson clarified to brandchannel:
“AWS employs a number of automated detection and mitigation techniques to prevent the misuse of our services. In cases where the misuse is not detected and stopped by the automated measures, we take manual action as soon as we become aware of any misuse. Our terms are clear about this. The activity being reported is not currently happening on AWS.”
North Korea has denied involvement in the Sony hack while praising the group claiming responsibility, who demanded that Sony not distribute “the movie of terrorism” in a plot twist worthy of a, well, Seth Rogen and James Franco comedy.
As it attempts to salvage a holiday box office season that also includes the Cameron Diaz reboot of Annie, which opens next week, Sony’s geek squad is also busying patching up the PlayStation network, which went offline following a hacker attach on Monday and has since been restored.
While only 8,000 out of 140,000 Sony employees work on Sony Computer Entertainment (aka the PlayStation brand), “That small group of people is now largely responsible for the near future of the mothership,” Engadget reports. “In short, Sony’s leaning on its PlayStation arm to buoy the whole company’s financials for the next several years.”
It can use the revenue—this latest hacker attack could cost the company an estimated $100 million to fix. Even Daddy Warbucks would be hard-pressed to come up with that.