North Korea's Sony hack seen as cyber security game-changerReprints
Risk and security experts examining the unprecedented cyber attack on Sony Pictures Entertainment Inc. see it as a game-changer for companies who think they have a handle on cyber security.
The brazen hack U.S. officials blamed on North Koreans leaves Sony facing a host of risk management, legal and liability problems that could significantly tarnish its brand. President Barack Obama on Friday said the U.S. will respond to North Korea for the malicious cyber breach, expected to cost Sony tens of millions of dollars.
Suddenly, breaches “are not all about credit cards,” said Rena Mears, San Francisco-based managing director in the data risk, data security and privacy practice for law firm Buckley Sandler L.L.P. “This one is being used rather uniquely to make demands on a company and individuals.”
The debacle for Sony Corp., which suffered an earlier breach in 2011 in which hackers accessed more than 100 million PlayStation consumer accounts, began in late November with hackers stealing more than 100 terabytes of data — a breach so massive technology experts said it will take Sony more than a year to analyze exactly what's been released into the wild.
So far, the tally is five feature films, droves of embarrassing and potentially damning internal Sony emails, salaries for studio executives, personal information of more than 47,000 of studio employees, and the promise of more to come.
“What the Sony attack has indicated is these attacks are not limited to companies with personal information,” said Kevin Kalinich, Chicago-based cyber global practice leader for Aon Risk Solutions. “This is a wake-up call to companies.”
And the casualties are mounting for the global entertainment company. Last week, Sony Pictures canceled the widespread theater release of the film “The Interview,” after threats were made to theaters that planned to feature the comedy depicting the assassination of North Korean President Kim Jong-un. Also in the wake of the scandal, two class action lawsuits emerged against Sony from employees alleging negligence in protecting their personal information in the months leading to the cyber attack.
“This is the first incident that made national news that's targeted the company and its way of doing business,” said Shari Klevens, Washington-based head of the insurance division for McKenna Long & Aldridge L.L.P. “Up until now (cyber) attacks have been random, with a company being targeted because they did not have protections in place. (The Sony) attack has to make people nervous about being targeted for the work they do. The motive here is different ... There are a lot of companies that do things people don't like, and this creates a new risk.”
A group that calls itself Guardians of Peace boasted responsibility, and the FBI has since pegged North Korea as the culprit, a revelation greeted with skepticism within the information technology community that introduced the term “hacktivism” into the cyber security lexicon. Was this the work of people with a social or political agenda, or an attack assisted by a disgruntled Sony employee?
“This is fluid; it can change tomorrow,” said Adam Cottini, New York-based managing director for the cyber liability practice of Arthur J. Gallagher & Co.
CNN reported late last week that North Korean hackers pilfered computer credentials of a Sony systems administrator to breach the firm's computer system.
Risk analysts say the fiasco reveals a number of actual and potential problems for Sony: liability; reputational damage; business disruption; further scrutiny of employees; civil rights issues; supply-chain losses; cyber terrorism; defamation lawsuits; and skyrocketing forensics costs.
“This has blown out into more exposures,” Mr. Cottini said. “People are scrambling.”
Even something as simple as sending an email — seemingly trite, yet vital to the way businesses operate — is at issue. “This has put the spotlight on communications,” Mr. Cottini said, adding that people working from the executive level down will think twice about what they write in internal communications.
Meanwhile, technology experts are warning that cyber risk is no longer a back-burner issue and traditional anti-virus software and computer network firewalls are a protection of the past.
“This attack signifies a lot of resources went into the breach and it increases difficulty for the defender to discover whether there will be more to come,” said Fengmin Gong, the Santa Clara, California-based co-founder and chief strategy officer for information technology security firm Cyphort Inc. “This is most challenging (for companies). The threat landscape is changing.”
As for Sony, now entrenched in what appears to be an ongoing dilemma with more turns and twists than a blockbuster thriller, at least one cyber risk expert said the company ought to focus more on its public relations as it grapples with difficult aftermath of the breach.
Jody Westby, Washington-based CEO for Global Cyber Risk L.L.C. and adjunct professor with the Atlanta-based Georgia Institute of Technology, chided Sony Pictures for sending letters to media outlets demanding they not reveal any information found in illegally obtained and released data, such as internal Sony emails.
“This action is almost certain to generate publicity and reveals just how poorly prepared Sony was to manage a substantial cyber incident,” Ms. Westby wrote in a memorandum to other cyber security professionals.
On questions of reputation damage, Ms. Westby said of Sony in an interview: “They're doing it to themselves. They think sending a letter and threatening people is the answer. It's the stupidest move I have seen in a company in a cyber breach.
“No company is bulletproof,” she said. “They need to get serious about cyber security.”
Repeated attempts by Business Insurance to reach Sony for comment were unsuccessful.