It was like something out of a movie. Early in the morning of November 24, 2014, just a few days before Thanksgiving, the same ominous message was displayed on every employee computer at Sony Pictures Entertainment. There was a red background and a picture of a skeleton along with the words “We’ve already warned you, and this is just the beginning.” Just above, a banner stated in bold red lettering “Hacked by #GOP,” later revealed to be an acronym for the supposed hacking collective “Guardians of Peace.” The message went on to say that if Sony did not obey the hacker’s demands, all of Sony’s data including their “secrets and top secrets” would be released to the world. Following the threat was a list of links to stolen files to prove they weren’t bluffing. The deadline to meet the demands was just hours away.
Later that morning, the media began reporting that Sony had been hacked. Beyond the stolen files, all phones and email services within the company were shut down. As a precaution, Sony had basically shut down their entire network, bringing the company’s global business to a grinding halt. Computers remained unavailable for many employees well after Thanksgiving and some executives even resorted using their old BlackBerry phones to communicate, because, somewhat amazingly, the seemingly obsolete devices were able to connect to a network that hadn’t been hacked.
The fallout for Sony was massive. The hackers hit Sony where it hurt: in the pocketbook. High-quality video files of films that had just debuted in theaters like Fury and Annie were released to the public, or at least anybody who downloaded stolen movies from a torrent site, instead of paying for a theater ticket. The hack released embarrassing emails between executives discussing everything from President Obama’s presumed reaction to 12 Years a Slave to complaints about the company’s negotiations with celebrities. Other emails between lower level employees discussing their thoughts about what is wrong with the direction of the company found their way to gossip websites like Gawker. The general tone was that the films the company produced were boring: “There is a general ‘blah-ness’ to the films we produce… We continue to be saddled with the mundane, formulaic Adam Sandler films.”
For a company that was already going through a rough patch, the emails opened the door to the internal dissatisfaction with the way things were being done at Sony. The emails between Sony Pictures co-chairwoman Amy Pascal and producer Scott Rudin are embarrassing for them to be sure, but it’s obvious that they never expected these conversations to be made public. Just about any organization would be humiliated if their emails were released, because of the level of privacy one assumes when writing in an email. The reason the Sony Hack produced such newsworthy fodder was that the emails were talking about celebrities, like Angelina Jolie and Kevin Hart. From a network security standpoint, the content of the emails is irrelevant. It’s the fact that they were so easily made public that is alarming.
It’s not been determined exactly who the Guardians of Peace were. Many, including the FBI, believe that the hack was the work of North Korea in retaliation for Sony’s The Interview, which depicted the assassination of dictator Kim Jong-Un. Nefarious as this plot may seem, a country whose entire internet was blacked out just one month after the hack might not be the cyber-attack threat everyone makes them out to be. That point is debatable. What isn’t questionable is how unsecure Sony’s network was. Once the hackers were in, whoever they were, they had absolutely everything they needed. Once they had access to Sony’s servers, the infiltrators might have noticed filenames such as Master_Password_Sheet.xls, which were unencrypted and contained exactly what you’d think they would contain: plain text passwords for a number of applications. The hackers released this list along with the other files under the filename bonus.rar. The specificity of the filenames would be somewhat mind-boggling to anybody well versed in network security. The list is populated with filenames like “Important Passwords – TAAS, Outlook, Novell.txt” and “Mcafeepassword.txt.” All of these files were left unencrypted on an open file sharing network which helpful names telling people exactly what they contained.
It’s almost gracious for the hackers to let Sony know which passwords were stolen from the company so they know what to fix. On the other hand, Sony should be embarrassed about how they treated their employees’ personal information. Many of the files contained information linked to both personal and business financial accounts, like American Express cards. Moreover, it wasn’t until almost two weeks after the hack that the media reported that over 47,000 Social Security numbers (presumably from employees) had been stolen.
The lesson from the Sony Hack for other corporations is a simple one: Don’t put all of your faith in your firewall. A strong firewall is like a sturdy metal door in front of your home. It will protect you from most intruders, but if the key to that door falls into the wrong hands, you had better be sure that all of your doors inside your home are locked. Sony didn’t do this. They spent all of their time trusting the front door, while inside they left their safes unlocked and handwritten notes about where the valuable jewelry is stashed.
Even if you don’t stand to suffer a multimillion dollar loss from a hack like Sony did, you should still take precautions to hide your personal data. Make your passwords secure and difficult to guess and change them often. If you need to keep a list of them somewhere, don’t keep them on your computer (maybe a USB drive in a lockbox at home) and don’t make the filename obvious. When online, opt for two-step verification when it’s available. This usually involves entering a password and then having a code sent to your phone to make sure it’s you logging in. A hack into your system might not be as intriguing as one into a major film studio, but it could be just as devastating for you. Take a moment to review a few tips about how to secure your data and you can rest easy at night knowing your embarrassing emails will never come to light.